-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tor_lookup pipeline function returns always false #115
Comments
@mudrunkar Please provide the full pipeline rule calling the |
I use the following function:
|
I'm having a similar issue, but just by looking at your example and by looking at the examples for plugin, that tor_lookup in the set_field needs to look like set_field("tor_lookup", tor_lookup.threat_indicated); |
@joschi I've been looking at
In a way it almost appears to bypass the if/else statement and falls to the default GenericLookupResult.False value.
|
I can confirm, tor_lookup always fails, also when you query the dataset it does not return true when found, it returns what looks like a hash Tor failed lookup:
|
When querying TOR, it'll respond as false when not found, returns a hash when found. |
Comparing both Tor and abuse.ch lookup functions it looks like this may need to be changed to
|
This still is an issue in the latest 2.4.6 version (at least in the ubuntu package). The intended functionality is unusable in the current state. |
Thank you for all of the details. We are investigating this issue. |
Too bad that a fix for this issue has not made it into 2.5. Is that really such a complex issue? Any pointer on where this should be fixed so we can take a shot at it? |
Hi @stamfest, We have been investigating the issue this week and are making good progress in understanding why this is failing. I expect to have more info very soon. |
@stamfest @ion-storm @mudrunkar @swelcher We have confirmed that this issue is occurring due to a bug. The bug will be fixed in Graylog version 3.0, which will be released next month. |
will it not be fixed in 2.4/2.5? |
Hi @mudrunkar @stamfest @ion-storm @dio99,
See this docs page for general instructions for setting up a lookup table. Please note that you may need to also enable Tor Lookups in System > Configurations > Threat Intelligence Lookup Configuration > Tor Exit Nodes. |
complains about function join in graylog version 2.5 |
Expected Behavior
I tested the pipeline function
tor_lookup
with several tor exit node's addressess, but all I got was{"threat_indicated":false}
response. Does it work for anyone?Current Behavior
Only negative response
{"threat_indicated":false}
is returned as a result of tor lookup, there is no error message in the log.Possible Solution
Steps to Reproduce (for bugs)
I tested the lookup function with the following IP addressess where I would expect positive tor lookup result:
but I got false in case of all of these IP addressess.
Pipeline function used:
Does the (now built-in) tor lookup plugin work for someone? Maybe I'm doing something wrong?
Context
Your Environment
The text was updated successfully, but these errors were encountered: