I ma having an issue tracking down what is causing this error and was hoping you had an idea
My Graylog server log is filling with the following error:
2021-01-11T08:54:10.623-05:00 ERROR [PrivateNetLookupFunction] Could not run private net lookup for IP [-]: '-' is not an IP string literal.
The only place I an find where I am using
in_private_net() (that I could find) is in the following function (there are a few more like this built the same):
rule "DNS-session_src_ip-internal" when has_field("session_src_ip") && is_ip(to_ip($message.session_src_ip)) && ( in_private_net(to_string($message.session_src_ip )) || cidr_match("220.127.116.11/24", to_ip($message.session_src_ip )) ) then let IP2Name = lookup_value("Int_DNS_table", $message.session_src_ip ); set_field("internal_wkst", IP2Name); set_field("internal_ip", $message.session_src_ip); end
I did a manual search of all my rules for
in_private_net() or even a
regex_replace() I am not using extractors. Threat Intelligence is disabled until I get to it.
It would be nice if there were an easy way to search through all rules for every existence of a function.
Anyone have a good idea on how to track this one down?