Graylog plugin tor exit nodes always false (graylog 2.4.4)

Hi,

i want to see if a tor exit node checks our OWA website.

  1. I enabled the Plugin “Tor exit Nodes”.
  2. i create Firewall Rules and i can see everything ist connected (no connection timeout)
  3. I create a pipeline (all Messages)- i want to view the item: “remote_address” (the IPs from Tor Browser for e.g.)
  4. i Create a rule “tor_lookup”
    rule “02 -tor_lookup”
    when
    has_field(“remote_address”)
    then
    let intel = tor_lookup(to_string($message.remote_address));
    set_field(“src_addr_is_tor_exit_node”, intel.threat_indicated);
    end
  5. The New Field src_addr_is_tor_exit_node is shown in input_messages with “false”
  6. Problem: if i access our OWA Website with a Tor Browser (different Tests) all Adresses src_addr_is_tor_exit_node were also shown as “false” but i think that is not right. I am using a tor Browser so the IPs (for e.g. FR Language Code, def. a tor exit node) are also shown as false.

So my question are.

  • is my rule not correct?
  • do i have to make more rules than the one above?
  • can i manually check (Bash console) the plugin “Tor Exit Node”?

I would be very pleased if someone give an idea or little help.

Thanks and best regards
celtar

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.