Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java errors generated if blank IP passed to threat_intel_lookup_ip() #96

Closed
sirbod2005 opened this issue Feb 28, 2018 · 2 comments
Closed

Java errors generated if blank IP passed to threat_intel_lookup_ip() #96

sirbod2005 opened this issue Feb 28, 2018 · 2 comments
Assignees
@danotorrey
Labels
bug triaged
Milestone
2.5.0

Comments

@sirbod2005
Copy link

sirbod2005 commented Feb 28, 2018
edited by joschi

Rather than silently fail, it generates the following error:

2018-02-28_09:56:59.70230 WARN  [GuavaLookupCache] Loading value from data adapter failed for key LookupCacheKey{prefix=5a744159feb4db438cb83524, key=}, returning empty result
2018-02-28_09:56:59.70276 java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: Could not parse []
2018-02-28_09:56:59.70353 	at org.graylog2.lookup.caches.GuavaLookupCache$InstrumentedCache.get(GuavaLookupCache.java:243) ~[graylog.jar:?]
2018-02-28_09:56:59.70396 	at org.graylog2.lookup.caches.GuavaLookupCache.get(GuavaLookupCache.java:104) ~[graylog.jar:?]
2018-02-28_09:56:59.70472 	at org.graylog2.lookup.LookupTable.lookup(LookupTable.java:72) ~[graylog.jar:?]
2018-02-28_09:56:59.70517 	at org.graylog2.lookup.LookupTableService$Function.lookup(LookupTableService.java:534) ~[graylog.jar:?]
2018-02-28_09:56:59.70620 	at org.graylog.plugins.threatintel.functions.spamhaus.SpamhausIpLookupFunction.evaluate(SpamhausIpLookupFunction.java:43) ~[?:?]
2018-02-28_09:56:59.70664 	at org.graylog.plugins.threatintel.functions.spamhaus.SpamhausIpLookupFunction.evaluate(SpamhausIpLookupFunction.java:16) ~[?:?]
2018-02-28_09:56:59.70693 	at org.graylog.plugins.threatintel.functions.global.AbstractGlobalLookupFunction.lambda$matchEntityAgainstFunctions$2(AbstractGlobalLookupFunction.java:44) ~[?:?]
2018-02-28_09:56:59.70824 	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_161]
2018-02-28_09:56:59.70868 	at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) ~[?:1.8.0_161]
2018-02-28_09:56:59.70944 	at java.util.Collections$UnmodifiableMap$UnmodifiableEntrySet.lambda$entryConsumer$0(Collections.java:1575) ~[?:1.8.0_161]
2018-02-28_09:56:59.70982 	at java.util.Iterator.forEachRemaining(Iterator.java:116) [?:1.8.0_161]
2018-02-28_09:56:59.71010 	at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) [?:1.8.0_161]
2018-02-28_09:56:59.71075 	at java.util.Collections$UnmodifiableMap$UnmodifiableEntrySet$UnmodifiableEntrySetSpliterator.forEachRemaining(Collections.java:1600) [?:1.8.0_161]
2018-02-28_09:56:59.71124 	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) [?:1.8.0_161]
2018-02-28_09:56:59.71208 	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) [?:1.8.0_161]
2018-02-28_09:56:59.71244 	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) [?:1.8.0_161]
2018-02-28_09:56:59.71274 	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) [?:1.8.0_161]
2018-02-28_09:56:59.71358 	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) [?:1.8.0_161]
2018-02-28_09:56:59.71382 	at org.graylog.plugins.threatintel.functions.global.AbstractGlobalLookupFunction.matchEntityAgainstFunctions(AbstractGlobalLookupFunction.java:48) [graylog-plugin-threatintel-2.4.3.jar:?]
2018-02-28_09:56:59.71462 	at org.graylog.plugins.threatintel.functions.global.GlobalIpLookupFunction.evaluate(GlobalIpLookupFunction.java:61) [graylog-plugin-threatintel-2.4.3.jar:?]
2018-02-28_09:56:59.71514 	at org.graylog.plugins.threatintel.functions.global.GlobalIpLookupFunction.evaluate(GlobalIpLookupFunction.java:23) [graylog-plugin-threatintel-2.4.3.jar:?]
2018-02-28_09:56:59.71590 	at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.71644 	at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:41) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.71767 	at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.71806 	at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.71950 	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStatement(PipelineInterpreter.java:377) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.71989 	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.executeRuleActions(PipelineInterpreter.java:364) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.72150 	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:305) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.72209 	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:263) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.72286 	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:143) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.72327 	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:99) [graylog-plugin-pipeline-processor-2.4.3.jar:?]
2018-02-28_09:56:59.72416 	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:114) [graylog.jar:?]
2018-02-28_09:56:59.72454 	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:100) [graylog.jar:?]
2018-02-28_09:56:59.72544 	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:77) [graylog.jar:?]
2018-02-28_09:56:59.72663 	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
2018-02-28_09:56:59.72747 	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
2018-02-28_09:56:59.72789 	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
2018-02-28_09:56:59.72942 	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
2018-02-28_09:56:59.72988 Caused by: java.lang.IllegalArgumentException: Could not parse []
2018-02-28_09:56:59.73123 	at org.apache.commons.net.util.SubnetUtils.toInteger(SubnetUtils.java:287) ~[?:?]
2018-02-28_09:56:59.73213 	at org.apache.commons.net.util.SubnetUtils.access$400(SubnetUtils.java:27) ~[?:?]
2018-02-28_09:56:59.73330 	at org.apache.commons.net.util.SubnetUtils$SubnetInfo.isInRange(SubnetUtils.java:125) ~[?:?]
2018-02-28_09:56:59.73391 	at org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter.lambda$doGet$1(SpamhausEDROPDataAdapter.java:157) ~[?:?]
2018-02-28_09:56:59.74590 	at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174) ~[?:1.8.0_161]
2018-02-28_09:56:59.74649 	at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) ~[?:1.8.0_161]
2018-02-28_09:56:59.75358 	at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580) ~[?:1.8.0_161]
2018-02-28_09:56:59.76132 	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:270) ~[?:1.8.0_161]
2018-02-28_09:56:59.76638 	at java.util.stream.StreamSpliterators$WrappingSpliterator.tryAdvance(StreamSpliterators.java:302) ~[?:1.8.0_161]
2018-02-28_09:56:59.76686 	at com.google.common.collect.CollectSpliterators$1WithCharacteristics.tryAdvance(CollectSpliterators.java:60) ~[graylog.jar:?]
2018-02-28_09:56:59.76794 	at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126) ~[?:1.8.0_161]
2018-02-28_09:56:59.76808 	at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498) ~[?:1.8.0_161]
2018-02-28_09:56:59.78759 	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485) ~[?:1.8.0_161]
2018-02-28_09:56:59.78872 	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_161]
2018-02-28_09:56:59.79388 	at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152) ~[?:1.8.0_161]
2018-02-28_09:56:59.79415 	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_161]
2018-02-28_09:56:59.79754 	at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464) ~[?:1.8.0_161]
2018-02-28_09:56:59.79808 	at org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter.doGet(SpamhausEDROPDataAdapter.java:158) ~[?:?]
2018-02-28_09:56:59.80253 	at org.graylog2.plugin.lookup.LookupDataAdapter.get(LookupDataAdapter.java:123) ~[graylog.jar:?]
2018-02-28_09:56:59.80254 	at org.graylog2.lookup.LookupTable.lambda$lookup$0(LookupTable.java:72) ~[graylog.jar:?]
2018-02-28_09:56:59.80588 	at org.graylog2.lookup.caches.GuavaLookupCache$InstrumentedCache.get(GuavaLookupCache.java:239) ~[graylog.jar:?]
2018-02-28_09:56:59.80958 	... 37 more
@megan201296
Copy link

As a temporary measure until the bug is fixed, you can add a rule to your "when" condition on your threat intel pipeline rule to specify is_not_null(<field name>)

@danotorrey danotorrey self-assigned this Sep 20, 2018
@danotorrey danotorrey mentioned this issue Sep 20, 2018
Merged
@danotorrey danotorrey added this to the 3.0.0 milestone Sep 20, 2018
@danotorrey danotorrey modified the milestones: 3.0.0, 2.5.0 Nov 7, 2018
@danotorrey
Copy link
Contributor

Fixed by commit 85f546b for version 2.5.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danotorrey danotorrey

Labels
bug triaged
Projects
None yet
Milestone
2.5.0
Development

No branches or pull requests
4 participants
@dennisoelkers @danotorrey @megan201296 @sirbod2005