Comments (15)
@mudrunkar Please provide the full pipeline rule calling the tor_lookup()
function which you're using to enrich your messages.
from graylog-plugin-threatintel.
I use the following function:
rule "add_tor_lookup"
when
has_field("source_address")
then
let tor_lookup = tor_lookup(to_string($message.source_address));
set_field("tor_lookup", tor_lookup);
end
from graylog-plugin-threatintel.
I'm having a similar issue, but just by looking at your example and by looking at the examples for plugin, that tor_lookup in the set_field needs to look like set_field("tor_lookup", tor_lookup.threat_indicated);
from graylog-plugin-threatintel.
@joschi I've been looking at TorExitNodeLookupFunction
and LookupResult
and I'm probably overthinking/missing this but where does "lookupFunction" come from in this.lookupFunction.lookup(ip.trim())
?
final LookupResult lookupResult = this.lookupFunction.lookup(ip.trim());
In a way it almost appears to bypass the if/else statement and falls to the default GenericLookupResult.False value.
@Override
public GenericLookupResult evaluate(FunctionArgs args, EvaluationContext context) {
String ip = valueParam.required(args, context);
if (ip == null) {
LOG.error("NULL parameter passed to Tor exit node lookup.");
return null;
}
LOG.debug("Running Tor exit node lookup for IP [{}].", ip);
final LookupResult lookupResult = this.lookupFunction.lookup(ip.trim());
if (lookupResult != null && !lookupResult.isEmpty()) {
final Object value = lookupResult.singleValue();
if (value instanceof Boolean) {
return (Boolean) value ? GenericLookupResult.TRUE : GenericLookupResult.FALSE;
}
if (value instanceof String) {
return Boolean.valueOf((String) value) ? GenericLookupResult.TRUE : GenericLookupResult.FALSE;
}
}
return GenericLookupResult.FALSE;
}
from graylog-plugin-threatintel.
I can confirm, tor_lookup always fails, also when you query the dataset it does not return true when found, it returns what looks like a hash
Tor failed lookup:
{
"single_value": "D83665AF257FD05C4687897815233FD52A8E9829",
"multi_value": {
"node_ids": [
"D83665AF257FD05C4687897815233FD52A8E9829"
]
},
"ttl": 9223372036854776000,
"empty": false
}
Abuse.CH successful lookup
{
"single_value": true,
"multi_value": {
"value": true
},
"ttl": 9223372036854776000,
"empty": false
}
from graylog-plugin-threatintel.
When querying TOR, it'll respond as false when not found, returns a hash when found.
from graylog-plugin-threatintel.
Comparing both Tor and abuse.ch lookup functions it looks like this may need to be changed to
final LookupResult lookupResult = this.lookupFunction.lookup(ip.trim());
if (lookupResult != null && !lookupResult.isEmpty() && lookupResult.singleValue() != null) {
if (lookupResult.singleValue() instanceof Boolean) {
return (Boolean)lookupResult.singleValue() ? GenericLookupResult.TRUE : GenericLookupResult.FALSE;
}
if (lookupResult.singleValue() instanceof String) {
return Boolean.valueOf((String) lookupResult.singleValue()) ? GenericLookupResult.TRUE : GenericLookupResult.FALSE;
}
}
from graylog-plugin-threatintel.
This still is an issue in the latest 2.4.6 version (at least in the ubuntu package). The intended functionality is unusable in the current state.
from graylog-plugin-threatintel.
Thank you for all of the details. We are investigating this issue.
from graylog-plugin-threatintel.
Too bad that a fix for this issue has not made it into 2.5. Is that really such a complex issue? Any pointer on where this should be fixed so we can take a shot at it?
from graylog-plugin-threatintel.
Hi @stamfest,
My sincere apologies on the delayed response. Thank you for following up again.
We have been investigating the issue this week and are making good progress in understanding why this is failing. I expect to have more info very soon.
from graylog-plugin-threatintel.
@stamfest @ion-storm @mudrunkar @swelcher We have confirmed that this issue is occurring due to a bug. The bug will be fixed in Graylog version 3.0, which will be released next month.
from graylog-plugin-threatintel.
will it not be fixed in 2.4/2.5?
// Anders
from graylog-plugin-threatintel.
Hi @mudrunkar @stamfest @ion-storm @dio99,
This will be fixed in Graylog version 3.0 coming out next month, but there is a solid workaround:
- Verify that a Tor Exit Node Lookup Table is set up.
- Add the following pipeline rule that uses the lookup table by it's name:
rule "Is from a Tor Exit Node: src_addr"
when
has_field("src_addr")
then
let tor_lookup = lookup( "name-of-tor-exit-node-lookup-table", to_string($message.src_addr));
set_field("from_tor_exit_node", is_not_null(join(tor_lookup.node_ids)));
end
See this docs page for general instructions for setting up a lookup table. Please note that you may need to also enable Tor Lookups in System > Configurations > Threat Intelligence Lookup Configuration > Tor Exit Nodes.
from graylog-plugin-threatintel.
complains about function join in graylog version 2.5
//Anders
from graylog-plugin-threatintel.
Related Issues (20)
- OTX lookup result doesn't use validation informations from the OTX response HOT 2
- Alienvault OTX lookups missing in webui HOT 1
- Where do I download the complied .jar file HOT 1
- Migrate lookup table content packs to content-packs-v2 HOT 1
- OTX threat intel plugin add STIX/TAXII Server HOT 1
- Plugin does not have a license
- reduce logs by `in_private_net` with ipv6
- Improve WHOIS adapter handling of multiple results
- ransomwaretracker.abuse.ch discontinued HOT 5
- Miniscule spelling error HOT 1
- tor_lookup does not work for IPv6 HOT 1
- Feature Request: Add OTX Stream URL to threat detected and additional information from OTX API
- Feature Request: Lookup table Exclusion list or Exclusion Data Adapter HOT 7
- Add proxy in the configuration page HOT 1
- OTX lookup is limited to IPv4/IPv6/domain lookups.
- Tor_lookup Always returns false HOT 3
- Data Adapter: Lookup txt files? HOT 2
- No details on firewall rules needed to work HOT 5
- Java errors generated if blank IP passed to threat_intel_lookup_ip() HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from graylog-plugin-threatintel.