Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pipeline function "in_private_net" cannot parse IPV6 #4624

Closed
jekelundh opened this issue Feb 28, 2018 · 3 comments · Fixed by Graylog2/graylog-plugin-threatintel#157
Closed

Pipeline function "in_private_net" cannot parse IPV6 #4624

jekelundh opened this issue Feb 28, 2018 · 3 comments · Fixed by Graylog2/graylog-plugin-threatintel#157
Labels
bug triaged

Comments

@jekelundh
Copy link

jekelundh commented Feb 28, 2018
edited by joschi
Loading

Pipline function in_private_net cannot parse IPV6 entries

Expected Behavior

IPV6 entries should be ignored

Current Behavior

IPV6 entries generates a stack trace in server.log for each message containing IPV6 src/dst.

2018-02-28T02:58:46.703+01:00 ERROR [PrivateNetLookupFunction] Could not run private net lookup for IP [_the_ipv6_address_]
ava.lang.IllegalArgumentException: Could not parse [_the_ipv6_address_]
        at org.apache.commons.net.util.SubnetUtils.toInteger(SubnetUtils.java:287) ~[graylog-plugin-threatintel-2.4.0.jar:?]

Possibly duplicate of, or related to, Graylog2/graylog-plugin-threatintel#33

  • Graylog Version: graylog-server-2.4.0-9.noarch
  • Elasticsearch Version: elasticsearch-5.6.4-1.noarch
  • MongoDB Version: mongodb-org-server-3.2.17-1.el7.x86_64
  • Operating System: CentOS Linux release 7.4.1708 (Core)
  • Browser version: any
@GTownson
Copy link

+1

@ion-storm
Copy link

@lennartkoopmann I am experiencing this bug as well, it ends up resulting in excessive CPU usage and log bloat due to errors in the log file on any version before the current.

@ion-storm
Copy link 

2019-05-31T08:52:04.162-04:00 ERROR [PrivateNetLookupFunction] Could not run private net lookup for IP [ff02:0:0:0:0:0:0:fb].
java.lang.IllegalArgumentException: Could not parse [ff02:0:0:0:0:0:0:fb]
        at org.apache.commons.net.util.SubnetUtils.toInteger(SubnetUtils.java:287) ~[graylog-plugin-threatintel-3.0.2.jar:?]
        at org.apache.commons.net.util.SubnetUtils.access$400(SubnetUtils.java:27) ~[graylog-plugin-threatintel-3.0.2.jar:?]
        at org.apache.commons.net.util.SubnetUtils$SubnetInfo.isInRange(SubnetUtils.java:125) ~[graylog-plugin-threatintel-3.0.2.jar:?]
        at org.graylog.plugins.threatintel.tools.PrivateNet.isInPrivateAddressSpace(PrivateNet.java:39) ~[graylog-plugin-threatintel-3.0.2.jar:?]
        at org.graylog.plugins.threatintel.functions.misc.PrivateNetLookupFunction.evaluate(PrivateNetLookupFunction.java:62) [graylog-plugin-threatintel-3.0.2.jar:?]
        at org.graylog.plugins.threatintel.functions.misc.PrivateNetLookupFunction.evaluate(PrivateNetLookupFunction.java:34) [graylog-plugin-threatintel-3.0.2.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.BooleanValuedFunctionWrapper.evaluateBool(BooleanValuedFunctionWrapper.java:37) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.NotExpression.evaluateBool(NotExpression.java:34) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateRuleCondition(PipelineInterpreter.java:399) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:299) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:263) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:143) [graylog.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:99) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:114) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:100) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:77) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_201]

@jalogisch jalogisch mentioned this issue Mar 23, 2020
Closed
kroepke added a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Mar 23, 2020
@kroepke
reduce error log noise by suppressing the stacktrace
2c75595 
extended the ip subnet check to ignore all IPv6 addresses be returning "false" for all of them, even unique local addresses
subnet check is not faster
only non-IP addresses will lead to a log message now, IPv6 checks will be silent

fixes #156
fixes Graylog2/graylog2-server#4624
related to #33
@kroepke kroepke mentioned this issue Mar 23, 2020
Merged
mpfz0r pushed a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Aug 17, 2020
@kroepke @mpfz0r
reduce error log noise by suppressing the stacktrace
abc08c0 
extended the ip subnet check to ignore all IPv6 addresses be returning "false" for all of them, even unique local addresses
subnet check is not faster
only non-IP addresses will lead to a log message now, IPv6 checks will be silent

fixes #156
fixes Graylog2/graylog2-server#4624
related to #33
mpfz0r pushed a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Aug 17, 2020
@kroepke @mpfz0r
reduce error log noise by suppressing the stacktrace
02d5626 
extended the ip subnet check to ignore all IPv6 addresses be returning "false" for all of them, even unique local addresses
subnet check is not faster
only non-IP addresses will lead to a log message now, IPv6 checks will be silent

fixes #156
fixes Graylog2/graylog2-server#4624
related to #33

(cherry picked from commit abc08c0)
@mpfz0r mpfz0r mentioned this issue Aug 17, 2020
Closed
mpfz0r pushed a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Oct 14, 2020
@kroepke @mpfz0r
Extend in_private_net to check for unique local addresses in IPv6
73bf9ea 
This reduces error log noise by suppressing the stacktrace

fixes #156
fixes Graylog2/graylog2-server#4624
related to #33

(cherry picked from commit abc08c0)

extend `in_private_net` to check for unique local addresses in IPv6

(cherry picked from commit 6c3f617)

use Graylog's IpSubnet class instead of ancient netty one

suppress harmless API stability warning

(cherry picked from commit 91d4f64)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support IPv6 in in_private_net function, reduce noise on errors Graylog2/graylog-plugin-threatintel
4 participants
@dennisoelkers @jekelundh @ion-storm @GTownson