It has been reported here before, and it seems to be a common topic: tor_lookup(“ip-as-a-string”) always returns {threat_indicated:false}.
I checked this by;
- testing if a current tor exit node can be found in the list using the “Test lookup” feature under the System/Lookup Tables. This returns something like
{ "single_value": "YADA....YADA", "multi_value": { "node_ids": [ "YADA....YADA" ] }, "ttl": 922...6000 }
- I added a pipeline function and hardcoded the call using the very same IP address like
rule "test_threat_intel" when has_field("src_ip") then let intel = tor_lookup("TESTIP"); set_field("src_ip_is_tor_exit_node", intel.threat_indicated); set_field("test", to_string(intel)); end
and I always get
test: “{threat_indicated=false}”
and
src_ip_is_tor_exit_node: false
as a result.
Obviously, this is also true when I use the real ip for the lookup like in
tor_lookup(to_string($message.src_ip))
So clearly - something is wrong.
Any ideas???