Comments (15)
joschi
commented on July 20, 2024
@mudrunkar Please provide the full pipeline rule calling the tor_lookup() function which you're using to enrich your messages.
from graylog-plugin-threatintel.
mudrunkar
commented on July 20, 2024
I use the following function:
rule "add_tor_lookup"
when
has_field("source_address")
then
let tor_lookup = tor_lookup(to_string($message.source_address));
set_field("tor_lookup", tor_lookup);
end
from graylog-plugin-threatintel.
swelcher
commented on July 20, 2024
I'm having a similar issue, but just by looking at your example and by looking at the examples for plugin, that tor_lookup in the set_field needs to look like set_field("tor_lookup", tor_lookup.threat_indicated);
from graylog-plugin-threatintel.
swelcher
commented on July 20, 2024
@joschi I've been looking at TorExitNodeLookupFunction and LookupResult and I'm probably overthinking/missing this but where does "lookupFunction" come from in this.lookupFunction.lookup(ip.trim())?
final LookupResult lookupResult = this.lookupFunction.lookup(ip.trim());
In a way it almost appears to bypass the if/else statement and falls to the default GenericLookupResult.False value.
@Override
public GenericLookupResult evaluate(FunctionArgs args, EvaluationContext context) {
String ip = valueParam.required(args, context);
if (ip == null) {
LOG.error("NULL parameter passed to Tor exit node lookup.");
return null;
}
LOG.debug("Running Tor exit node lookup for IP [{}].", ip);
final LookupResult lookupResult = this.lookupFunction.lookup(ip.trim());
if (lookupResult != null && !lookupResult.isEmpty()) {
final Object value = lookupResult.singleValue();
if (value instanceof Boolean) {
return (Boolean) value ? GenericLookupResult.TRUE : GenericLookupResult.FALSE;
}
if (value instanceof String) {
return Boolean.valueOf((String) value) ? GenericLookupResult.TRUE : GenericLookupResult.FALSE;
}
}
return GenericLookupResult.FALSE;
}
from graylog-plugin-threatintel.
ion-storm
commented on July 20, 2024
I can confirm, tor_lookup always fails, also when you query the dataset it does not return true when found, it returns what looks like a hash
Tor failed lookup:
{
"single_value": "D83665AF257FD05C4687897815233FD52A8E9829",
"multi_value": {
"node_ids": [
"D83665AF257FD05C4687897815233FD52A8E9829"
]
},
"ttl": 9223372036854776000,
"empty": false
}
Abuse.CH successful lookup
{
"single_value": true,
"multi_value": {
"value": true
},
"ttl": 9223372036854776000,
"empty": false
}
from graylog-plugin-threatintel.
ion-storm
commented on July 20, 2024
When querying TOR, it'll respond as false when not found, returns a hash when found.
from graylog-plugin-threatintel.
ion-storm
commented on July 20, 2024
Comparing both Tor and abuse.ch lookup functions it looks like this may need to be changed to
final LookupResult lookupResult = this.lookupFunction.lookup(ip.trim());
if (lookupResult != null && !lookupResult.isEmpty() && lookupResult.singleValue() != null) {
if (lookupResult.singleValue() instanceof Boolean) {
return (Boolean)lookupResult.singleValue() ? GenericLookupResult.TRUE : GenericLookupResult.FALSE;
}
if (lookupResult.singleValue() instanceof String) {
return Boolean.valueOf((String) lookupResult.singleValue()) ? GenericLookupResult.TRUE : GenericLookupResult.FALSE;
}
}
from graylog-plugin-threatintel.
stamfest
commented on July 20, 2024
This still is an issue in the latest 2.4.6 version (at least in the ubuntu package). The intended functionality is unusable in the current state.
from graylog-plugin-threatintel.
danotorrey
commented on July 20, 2024
Thank you for all of the details. We are investigating this issue.
from graylog-plugin-threatintel.
stamfest
commented on July 20, 2024
Too bad that a fix for this issue has not made it into 2.5. Is that really such a complex issue? Any pointer on where this should be fixed so we can take a shot at it?
from graylog-plugin-threatintel.
danotorrey
commented on July 20, 2024
Hi @stamfest,
My sincere apologies on the delayed response. Thank you for following up again.
We have been investigating the issue this week and are making good progress in understanding why this is failing. I expect to have more info very soon.
from graylog-plugin-threatintel.
danotorrey
commented on July 20, 2024
@stamfest @ion-storm @mudrunkar @swelcher We have confirmed that this issue is occurring due to a bug. The bug will be fixed in Graylog version 3.0, which will be released next month.
from graylog-plugin-threatintel.
dio99
commented on July 20, 2024
will it not be fixed in 2.4/2.5?
// Anders
from graylog-plugin-threatintel.
danotorrey
commented on July 20, 2024
Hi @mudrunkar @stamfest @ion-storm @dio99,
This will be fixed in Graylog version 3.0 coming out next month, but there is a solid workaround:
- Verify that a Tor Exit Node Lookup Table is set up.
- Add the following pipeline rule that uses the lookup table by it's name:
rule "Is from a Tor Exit Node: src_addr"
when
has_field("src_addr")
then
let tor_lookup = lookup( "name-of-tor-exit-node-lookup-table", to_string($message.src_addr));
set_field("from_tor_exit_node", is_not_null(join(tor_lookup.node_ids)));
end
See this docs page for general instructions for setting up a lookup table. Please note that you may need to also enable Tor Lookups in System > Configurations > Threat Intelligence Lookup Configuration > Tor Exit Nodes.
from graylog-plugin-threatintel.
dio99
commented on July 20, 2024
complains about function join in graylog version 2.5
//Anders
from graylog-plugin-threatintel.
Related Issues (20)
- OTX lookup result doesn't use validation informations from the OTX response HOT 2
- Alienvault OTX lookups missing in webui HOT 1
- Where do I download the complied .jar file HOT 1
- Migrate lookup table content packs to content-packs-v2 HOT 1
- OTX threat intel plugin add STIX/TAXII Server HOT 1
- Plugin does not have a license
- reduce logs by `in_private_net` with ipv6
- Improve WHOIS adapter handling of multiple results
- ransomwaretracker.abuse.ch discontinued HOT 5
- Miniscule spelling error HOT 1
- tor_lookup does not work for IPv6 HOT 1
- Feature Request: Add OTX Stream URL to threat detected and additional information from OTX API
- Feature Request: Lookup table Exclusion list or Exclusion Data Adapter HOT 7
- Add proxy in the configuration page HOT 1
- OTX lookup is limited to IPv4/IPv6/domain lookups.
- Tor_lookup Always returns false HOT 3
- Data Adapter: Lookup txt files? HOT 2
- No details on firewall rules needed to work HOT 5
- Java errors generated if blank IP passed to threat_intel_lookup_ip() HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from graylog-plugin-threatintel.