GTownson
commented
6 years ago +1
Closed jekelundh closed 4 years ago
GTownson
commented
6 years ago +1
ion-storm
commented
5 years ago @lennartkoopmann I am experiencing this bug as well, it ends up resulting in excessive CPU usage and log bloat due to errors in the log file on any version before the current.
ion-storm
commented
5 years ago 2019-05-31T08:52:04.162-04:00 ERROR [PrivateNetLookupFunction] Could not run private net lookup for IP [ff02:0:0:0:0:0:0:fb].
java.lang.IllegalArgumentException: Could not parse [ff02:0:0:0:0:0:0:fb]
at org.apache.commons.net.util.SubnetUtils.toInteger(SubnetUtils.java:287) ~[graylog-plugin-threatintel-3.0.2.jar:?]
at org.apache.commons.net.util.SubnetUtils.access$400(SubnetUtils.java:27) ~[graylog-plugin-threatintel-3.0.2.jar:?]
at org.apache.commons.net.util.SubnetUtils$SubnetInfo.isInRange(SubnetUtils.java:125) ~[graylog-plugin-threatintel-3.0.2.jar:?]
at org.graylog.plugins.threatintel.tools.PrivateNet.isInPrivateAddressSpace(PrivateNet.java:39) ~[graylog-plugin-threatintel-3.0.2.jar:?]
at org.graylog.plugins.threatintel.functions.misc.PrivateNetLookupFunction.evaluate(PrivateNetLookupFunction.java:62) [graylog-plugin-threatintel-3.0.2.jar:?]
at org.graylog.plugins.threatintel.functions.misc.PrivateNetLookupFunction.evaluate(PrivateNetLookupFunction.java:34) [graylog-plugin-threatintel-3.0.2.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.BooleanValuedFunctionWrapper.evaluateBool(BooleanValuedFunctionWrapper.java:37) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.NotExpression.evaluateBool(NotExpression.java:34) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.AndExpression.evaluateBool(AndExpression.java:35) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateRuleCondition(PipelineInterpreter.java:399) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:299) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:263) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:143) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:99) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:114) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:100) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:77) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_201]
Pipline function in_private_net cannot parse IPV6 entries
Expected Behavior
IPV6 entries should be ignored
Current Behavior
IPV6 entries generates a stack trace in server.log for each message containing IPV6 src/dst.
Possibly duplicate of, or related to, https://github.com/Graylog2/graylog-plugin-threatintel/issues/33