You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
rule "Tor Lookup: c_ip"
when
has_field("c_ip")
then
let intel = tor_lookup(to_string($message.c_ip));
set_field("tor_indicated", intel.threat_indicated);
end
If I try to access my resources via Tor Browser with IPv6 exit node, tor_indicated is never "true"
Graylog 4.1.3+9d79c05
The text was updated successfully, but these errors were encountered:
We use https://check.torproject.org/exit-addresses which I believe does not contain any IPv6 exit addresses.
Please note that the tor_lookup is just a thin wrapper around the more generic HTTP lookup, so if you have a list that contains both known IPv4 and IPv6 exit addresses, you can easily configure a generic lookup table to take those into account and then use lookup/lookup_value functions in your pipelines.
I'm leaving this open because I'm not 100% sure there isn't a bulk exit address URL to get this data from instead of the one quoted above.
Here's the pipeline rule
If I try to access my resources via Tor Browser with IPv6 exit node, tor_indicated is never "true"
Graylog 4.1.3+9d79c05
The text was updated successfully, but these errors were encountered: