Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tor_lookup does not work for IPv6 #202

Open
juris opened this issue Aug 25, 2021 · 1 comment
Open

tor_lookup does not work for IPv6 #202

juris opened this issue Aug 25, 2021 · 1 comment
Labels
improvement triaged

Comments

@juris
Copy link

juris commented Aug 25, 2021

Here's the pipeline rule

rule "Tor Lookup: c_ip"
when
  has_field("c_ip")
then
  let intel = tor_lookup(to_string($message.c_ip));
  set_field("tor_indicated", intel.threat_indicated);
end

If I try to access my resources via Tor Browser with IPv6 exit node, tor_indicated is never "true"

Graylog 4.1.3+9d79c05
@kroepke
Copy link
Member

kroepke commented Aug 30, 2021

We use https://check.torproject.org/exit-addresses which I believe does not contain any IPv6 exit addresses.
Please note that the tor_lookup is just a thin wrapper around the more generic HTTP lookup, so if you have a list that contains both known IPv4 and IPv6 exit addresses, you can easily configure a generic lookup table to take those into account and then use lookup/lookup_value functions in your pipelines.

I'm leaving this open because I'm not 100% sure there isn't a bulk exit address URL to get this data from instead of the one quoted above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
improvement triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kroepke @juris