Stumped - Finding a function in rules

tmacgbay · January 11, 2021, 2:42pm

I ma having an issue tracking down what is causing this error and was hoping you had an idea

My Graylog server log is filling with the following error:

2021-01-11T08:54:10.623-05:00 ERROR [PrivateNetLookupFunction] Could not run private net lookup for IP [-]: '-' is not an IP string literal.

The only place I an find where I am using in_private_net() (that I could find) is in the following function (there are a few more like this built the same):

rule "DNS-session_src_ip-internal"
when
    has_field("session_src_ip")                                     &&
    is_ip(to_ip($message.session_src_ip))                           &&
    (
        in_private_net(to_string($message.session_src_ip ))         ||
        cidr_match("43.43.43.0/24",  to_ip($message.session_src_ip )) 
     )

then
    let IP2Name = lookup_value("Int_DNS_table", $message.session_src_ip );
    set_field("internal_wkst", IP2Name); 
    set_field("internal_ip", $message.session_src_ip);

end

I did a manual search of all my rules for in_private_net() or even a regex_replace() I am not using extractors. Threat Intelligence is disabled until I get to it.

It would be nice if there were an easy way to search through all rules for every existence of a function.

Anyone have a good idea on how to track this one down?

cawfehman · January 11, 2021, 10:22pm

Not a super sexy way to do it, but after some digging through some MongoDB documentation, I think you could possibly do the following, assuming you have access to the mongo instance housing your graylog config:

> use graylog
> var myCursor = db.pipeline_processor_rules.find( );
> myCursor.forEach(printjson);

That will screen dump each of your pipeline rules in JSON format, and then you can just parse them. I’m sure there’s a more elegant way, but I’m not MongoDB expert.

shoothub · January 12, 2021, 9:01am

Or create content pack with all pipeline rules and search in exported json file.

tmacgbay · January 12, 2021, 3:24pm

Well dammit - 60% of questions I ask get answered with something I should have thought of… Both good solutions! I am marking @cawfehman for doing some digging - Thanks guys!

cawfehman · January 12, 2021, 3:38pm

Glad to help… I had the benefit of distance from the problem. Sometimes we need to step away for a few and let our brain get out of it’s own way. That’s also why another pair of eyes is always good.

system · January 26, 2021, 3:38pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline rules problem Graylog Central (peer support) pipeline-rules	4	901	March 10, 2022
Threat intel plugin causes Private Net Lookup Error Graylog Central (peer support)	1	303	January 29, 2021
DNS translation in syslog Graylog Central (peer support) pipeline-rules	2	155	May 22, 2024
Need some help with regex in pipeline rule Graylog Central (peer support) pipeline-rules	2	2620	July 7, 2023
Pipeline value to extract Graylog Central (peer support) pipeline-rules	5	521	November 22, 2023

Stumped - Finding a function in rules

Related topics