Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cymru parser_cap_program invalid hostname filtering #2169

Closed
ClevenL opened this issue Apr 27, 2022 · 3 comments · Fixed by #2215
Closed

Cymru parser_cap_program invalid hostname filtering #2169

ClevenL opened this issue Apr 27, 2022 · 3 comments · Fixed by #2215
Assignees
@waldbauer-certat
Labels
bug Indicates an unexpected problem or unintended behavior component: bots help wanted Indicates that a maintainer wants help on an issue or pull request

Comments

@ClevenL
Copy link

ClevenL commented Apr 27, 2022

In some Team-Cymru payloads the optional_information entry includes hostname: parameter with an IP address. This is parsed in intelmq.bots.parsers.cymru.parser_cap_program bot into source.fqdn field, which does not allow IP entries.

There should be check to filter out IP hostnames, since we already have that data included in source.ip field.

The fix can be equivalent to PR #2144. Including FQDN.is_valid check seems overkill in this case, but I included it in the example below.

elif key == 'hostname':
    # some hostnames are IP and not valid fqdn
    if not FQDN.is_valid(value) and value == ip:
        continue
    event['source.fqdn'] = value
@gethvi
Copy link
Contributor

gethvi commented Apr 27, 2022

Perhaps cleaner way:

event.add("source.fqdn", value, raise_failure=False)

@sebix sebix added bug Indicates an unexpected problem or unintended behavior component: bots labels Apr 29, 2022
@sebix
Copy link
Member

sebix commented Apr 29, 2022

Perhaps cleaner way:

event.add("source.fqdn", value, raise_failure=False)

But that could possibly hide other errors as well (e.g. other kind of data, wrong parsing, etc.)

So I prefer @ClevenL's solution.

@gethvi
Copy link
Contributor

gethvi commented May 5, 2022

But that could possibly hide other errors as well (e.g. other kind of data, wrong parsing, etc.)

Would it make sense to modify the add function with logging the error instead of just returning False?

intelmq/intelmq/lib/message.py

Lines 259 to 264 in 6e1c1bf

valid_value = self.__is_valid_value(key, value)
if not valid_value[0]:
if raise_failure:
raise exceptions.InvalidValue(key, value, reason=valid_value[1], object=bytes(json.dumps(self.iterable), 'utf-8'))
else:
return False

@sebix sebix added the help wanted Indicates that a maintainer wants help on an issue or pull request label May 6, 2022
@waldbauer-certat waldbauer-certat self-assigned this Jul 14, 2022
waldbauer-certat added a commit that referenced this issue Jul 14, 2022
@waldbauer-certat
FIX: Added check if cymru hostname is an ip address
e7c66fb 
Fixes #2169

Signed-off-by: Sebastian Waldbauer <waldbauer@cert.at>
@waldbauer-certat waldbauer-certat mentioned this issue Jul 14, 2022
Merged
waldbauer-certat added a commit that referenced this issue Jul 14, 2022
@waldbauer-certat
FIX: Added check if cymru hostname is an ip address
e7c5fc9 
Fixes #2169

Signed-off-by: Sebastian Waldbauer <waldbauer@cert.at>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@waldbauer-certat waldbauer-certat

Labels
bug Indicates an unexpected problem or unintended behavior component: bots help wanted Indicates that a maintainer wants help on an issue or pull request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

FIX: Added check if cymru hostname is an ip address certtools/intelmq
4 participants
@sebix @ClevenL @gethvi @waldbauer-certat