search

mlsecproject / combine

Tool to gather Threat Intelligence indicators from publicly available sources
https://www.mlsecproject.org/
GNU General Public License v3.0
653 stars 179 forks source link

Exception in dnsdb queries #49

Closed krmaxwell closed 10 years ago

krmaxwell commented 10 years ago 
Enriching mail.TIKTIKZ.COM
Traceback (most recent call last):
  File "winnower.py", line 150, in <module>
    winnow('crop.json', 'crop.json', 'enriched.json')
  File "winnower.py", line 138, in winnow
    e_data = (addr, addr_type, direction, source, note, date, enrich_DNS(ipaddr, date, dnsdb))
  File "winnower.py", line 53, in enrich_DNS
    records = dnsdb.query_rrset(address, rrtype='A')
  File "/home/kmaxwell/src/combine/dnsdb_query.py", line 55, in query_rrset
    return self._query(path)
  File "/home/kmaxwell/src/combine/dnsdb_query.py", line 77, in _query
    http = urllib2.urlopen(req)
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 396, in open
    protocol = req.get_type()
  File "/usr/lib/python2.7/urllib2.py", line 258, in get_type
    raise ValueError, "unknown url type: %s" % self.__original
ValueError: unknown url type: /lookup/rrset/name/95.85.191.8/A
orekdm commented 10 years ago

I got the exact same error with the same record last night. Doesn't seem like there is anything unusual in the tuple:

2468874   [                                                                                                                                                                                                                        
2468875     "95.85.191.8",                                                                                                                                                                                                         
2468876     "IPv4",                                                                                                                                                                                                                
2468877     "outbound",                                                                                                                                                                                                            
2468878     "http://www.nothink.org/blacklist/blacklist_malware_dns.txt",                                                                                                                                                          
2468879     "",                                                                                                                                                                                                                    
2468880     "2014-08-18"                                                                                                                                                                                                           
2468881   ],
alexcpsec commented 10 years ago

Ok, this is an easy one. It means the API endpoint is not configured.

I will set the "official endpoint" as the default on the configuration file.