Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AbuseIPDB analyzer creation #353

Closed
mlodic opened this Issue Oct 11, 2018 · 15 comments

Comments

Projects
None yet
7 participants
@mlodic
Copy link
Contributor

mlodic commented Oct 11, 2018

Request Type

Analyzer

Description

AbuseIPDB analyzer to determine whether an IP was reported or not as malicious by AbuseIPDB -> https://www.abuseipdb.com/

Possible Solutions

I'm working on the creation of the analyzer

@ilyaglow

This comment has been minimized.

Copy link
Contributor

ilyaglow commented Dec 28, 2018

Any updates? That would be a great addition.

@mlodic

This comment has been minimized.

Copy link
Contributor Author

mlodic commented Jan 3, 2019

Sorry for coming late, I have just sent a pull request few moments ago #400

@Tux-Panik

This comment has been minimized.

Copy link

Tux-Panik commented Jan 4, 2019

Oh shit... I was working on it :-/

@Tux-Panik

This comment has been minimized.

Copy link

Tux-Panik commented Jan 4, 2019

@mlodic,
I just tested your code and it doesn't work on my side.
I reach the following "failure" status in Cortex:

{
  "errorMessage": "Invalid output\n",
  "input": null,
  "success": false
}

Do it works for you?

Moreover, would it be relevant to play with the "abuseConfidenceScore" filed present in the output to improve the Analyzer's answer?

@nadouani

This comment has been minimized.

Copy link
Contributor

nadouani commented Jan 4, 2019

@mlodic yes, I think that the logging statements is the reason why the analyzer output is not a valid json.

@mlodic

This comment has been minimized.

Copy link
Contributor Author

mlodic commented Jan 4, 2019

I have just pushed a little change to improve error handling cases, tell me if it's better now.

About the "abuseConfidenceScore", I think that it should not change the "summary" result in any way. You risk to miss interesting reports if you set a threshold. Most people who send reports to AbuseIPDB does not move that score at all.
However that is questionable: for this reason, that field is available in the "full" section. This means that, if you want, you can take advantage of that field to perform further processing.

@Tux-Panik

This comment has been minimized.

Copy link

Tux-Panik commented Jan 4, 2019

I'm sorry, I can't see any change.
Latest commit 'e13f956d49f3c45ed28b593156626f2b7492f372' 1 day ago...

Thanks for your feedback,
Regards,
Julien

@mlodic

This comment has been minimized.

Copy link
Contributor Author

mlodic commented Jan 4, 2019

I don't know where you get that hash, go through this pull request #400

@Tux-Panik

This comment has been minimized.

Copy link

Tux-Panik commented Jan 4, 2019

I directly went to the forked repository:
https://github.com/mlodic/Cortex-Analyzers/tree/master/analyzers/AbuseIPDB

However, using the PR #400 (here) I still have the same issue:

{
  "errorMessage": "Invalid output\n",
  "input": null,
  "success": false
}

Let me know if you need additinal tests!
Thanks,
Regards,

@mlodic

This comment has been minimized.

Copy link
Contributor Author

mlodic commented Jan 4, 2019

My commits are in the "develop" branch, not in the "master", that was the cause you didn't reach changes.

Could you provide some context on your error message, because on my side I cannot replicate your issue. Try/except clauses should manage all cases.

If you can, try this commit a20ce52f683acd67705743c13aca431944a40c81 and let me know.
Thanks

@Tux-Panik

This comment has been minimized.

@Tux-Panik

This comment has been minimized.

Copy link

Tux-Panik commented Jan 7, 2019

Dear,
As promise, below a feedback:

  • Cortex version: 2.1.3-1 (Docker)
  • python3 version: Python 3.4.9
  • pwd: /opt/cortex/Cortex-Analyzers/analyzers/AbuseIPDB
  • hash values: md5sum *
    cbea15927277b6f6b2a401bbdf9f25ab AbuseIPDB.json
    9ecf5e8e50a9a93091c1d1229f5cf5b7 abuseipdb.py
    57bf4fd7812a6a5f58a16db373c64c43 requirements.txt

image

image

It works!

image

Thanks and congratulations...
Regards,

@mlodic

This comment has been minimized.

Copy link
Contributor Author

mlodic commented Jan 7, 2019

Thanks for your help!

@Tux-Panik

This comment has been minimized.

Copy link

Tux-Panik commented Feb 8, 2019

@nadouani Any chance to add this new analyzer to the existing ones?
Thanks.

@saadkadhi saadkadhi added this to the 1.16.0 milestone Feb 11, 2019

@3c7 3c7 self-assigned this Feb 13, 2019

@jeromeleonard

This comment has been minimized.

Copy link
Contributor

jeromeleonard commented Mar 23, 2019

template is ready, see #425

jeromeleonard added a commit that referenced this issue Mar 23, 2019

jeromeleonard added a commit that referenced this issue Mar 23, 2019

jeromeleonard added a commit that referenced this issue Mar 23, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.