Tor_lookup() always returns {threat_indicated:false}

(Peter Stamfest) #1

It has been reported here before, and it seems to be a common topic: tor_lookup(“ip-as-a-string”) always returns {threat_indicated:false}.

I checked this by;

  • testing if a current tor exit node can be found in the list using the “Test lookup” feature under the System/Lookup Tables. This returns something like
  "single_value": "YADA....YADA",
  "multi_value": {
    "node_ids": [
  "ttl": 922...6000
  • I added a pipeline function and hardcoded the call using the very same IP address like
rule "test_threat_intel"
  let intel = tor_lookup("TESTIP");
  set_field("src_ip_is_tor_exit_node", intel.threat_indicated);
  set_field("test", to_string(intel));

and I always get

test: “{threat_indicated=false}”


src_ip_is_tor_exit_node: false

as a result.

Obviously, this is also true when I use the real ip for the lookup like in


So clearly - something is wrong.

Any ideas???

(Jan Doberstein) #2

It looks like this is already reported as a bug:

Feel free to subscribe to the Github issues to get updates on that.

(Peter Stamfest) #3

I now commented on the issue. I already stumbled across it, but because latest comments were from Feb 2018 I though to give it a try here. I take it that nobody currently uses this… :slight_smile:

(Jan Doberstein) #4

or nobody that is using notice this. I have pointed one of the developers into this. Hopefully a fix will come up with the next version.