Tor_lookup() always returns {threat_indicated:false}

It has been reported here before, and it seems to be a common topic: tor_lookup(“ip-as-a-string”) always returns {threat_indicated:false}.

I checked this by;

  • testing if a current tor exit node can be found in the list using the “Test lookup” feature under the System/Lookup Tables. This returns something like
{
  "single_value": "YADA....YADA",
  "multi_value": {
    "node_ids": [
      "YADA....YADA"
    ]
  },
  "ttl": 922...6000
}
  • I added a pipeline function and hardcoded the call using the very same IP address like
rule "test_threat_intel"
when
  has_field("src_ip")
then
  let intel = tor_lookup("TESTIP");
  set_field("src_ip_is_tor_exit_node", intel.threat_indicated);
  set_field("test", to_string(intel));
end

and I always get

test: “{threat_indicated=false}”

and

src_ip_is_tor_exit_node: false

as a result.

Obviously, this is also true when I use the real ip for the lookup like in

tor_lookup(to_string($message.src_ip))

So clearly - something is wrong.

Any ideas???

It looks like this is already reported as a bug: https://github.com/Graylog2/graylog2-server/issues/4539

Feel free to subscribe to the Github issues to get updates on that.

I now commented on the issue. I already stumbled across it, but because latest comments were from Feb 2018 I though to give it a try here. I take it that nobody currently uses this… :slight_smile:

or nobody that is using notice this. I have pointed one of the developers into this. Hopefully a fix will come up with the next version.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.