Skip to content

Commit

Permalink
BUG: reverse dns expert: ignore all invalid results
Browse files Browse the repository at this point in the history 
fixes #1264
  • Loading branch information
Sebastian Wagner committed Jul 2, 2018
1 parent 35b7009 commit 60d5680
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 10 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Expand Up @@ -15,6 +15,7 @@ CHANGELOG
#### Parsers

#### Experts
- Reverse DNS Expert: ignore all invalid results and use first valid one (#1264).

#### Outputs

Expand Down
5 changes: 4 additions & 1 deletion docs/Bots.md
View file
Expand Up @@ -676,6 +676,8 @@ If the rule is a string, a regex-search is performed, also for numeric values (`

### Reverse DNS

For both `source.ip` and `destination.ip` the PTR record is fetched and the first valid result is used for `source.reverse_dns`/`destination.reverse_dns`.

#### Information:
* `name:` reverse-dns
* `lookup:` dns
Expand All @@ -685,7 +687,8 @@ If the rule is a string, a regex-search is performed, also for numeric values (`

#### Configuration Parameters:

FIXME
* **Cache parameters** (see above)
* `cache_ttl_invalid_response`: The TTL for cached invalid responses.

* * *

Expand Down
22 changes: 14 additions & 8 deletions intelmq/bots/experts/reverse_dns/expert.py
View file
Expand Up @@ -14,6 +14,10 @@
DNS_EXCEPTION_VALUE = "__dns-exception"


class InvalidPTRResult(ValueError):
pass


class ReverseDnsExpertBot(Bot):

def init(self):
Expand Down Expand Up @@ -57,19 +61,21 @@ def process(self):
else:
rev_name = reversename.from_address(ip)
try:
result = resolver.query(rev_name, "PTR")
expiration = result.expiration
result = result[0]

if str(result) == '.':
result = None
raise ValueError
except (dns.exception.DNSException, ValueError) as e:
results = resolver.query(rev_name, "PTR")
expiration = results.expiration
for result in results:
# use first valid result
if event.is_valid('source.reverse_dns', str(result)):
break
else:
raise InvalidPTRResult
except (dns.exception.DNSException, InvalidPTRResult) as e:
# Set default TTL for 'DNS query name does not exist' error
ttl = None if isinstance(e, dns.resolver.NXDOMAIN) else \
getattr(self.parameters, "cache_ttl_invalid_response",
60)
self.cache.set(cache_key, DNS_EXCEPTION_VALUE, ttl)
result = None

else:
ttl = datetime.fromtimestamp(expiration) - datetime.now()
Expand Down
16 changes: 15 additions & 1 deletion intelmq/tests/bots/experts/reverse_dns/test_expert.py
View file
Expand Up @@ -29,13 +29,22 @@
"time.observation": "2015-01-01T00:00:00+00:00",
}
INVALID_PTR_INP = {"__type": "Event",
"source.ip": "31.210.115.39", # PTR is .
"source.ip": "31.210.115.39", # PTR is '.'
"time.observation": "2015-01-01T00:00:00+00:00",
}
INVALID_PTR_OUT = {"__type": "Event",
"source.ip": "31.210.115.39",
"time.observation": "2015-01-01T00:00:00+00:00",
}
INVALID_PTR_INP2 = {"__type": "Event",
"source.ip": "5.157.80.221", # PTR is '5.157.80.221.' and 'aliancys.peopleinc.nl.'
"time.observation": "2015-01-01T00:00:00+00:00",
}
INVALID_PTR_OUT2 = {"__type": "Event",
"source.ip": "5.157.80.221",
"source.reverse_dns": "aliancys.peopleinc.nl",
"time.observation": "2015-01-01T00:00:00+00:00",
}


@test.skip_redis()
Expand Down Expand Up @@ -65,6 +74,11 @@ def test_invalid_ptr(self):
self.run_bot()
self.assertMessageEqual(0, INVALID_PTR_OUT)

def test_invalid_ptr2(self):
self.input_message = INVALID_PTR_INP2
self.run_bot()
self.assertMessageEqual(0, INVALID_PTR_OUT2)


if __name__ == '__main__': # pragma: no cover
unittest.main()

0 comments on commit 60d5680

Please sign in to comment.