Merge pull request #2395 from certtools/fix-2394

bug: fix reverse_dns expert caching
certtools · Aug 28, 2023 · 621dd88 · 621dd88
2 parents 5b94c9e + eaa8fb7
commit 621dd88
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,6 +24,8 @@ CHANGELOG
 #### Parsers
 
 #### Experts
+- `intelmq.bots.experts.reverse_dns.expert`:
+  - Fix the cache key to not cache results for /24 (IPv4) and /128 (IPv6) networks but for single IP-Adresses (PR#2395 by Sebastian Wagner, fixes #2394).
 
 #### Outputs
 

diff --git a/NEWS.md b/NEWS.md
@@ -13,6 +13,13 @@ Please refer to the change log for a full list of changes.
 3.2.1 Bugfix release (unreleased)
 ---------------------------------
 
+### Reverse DNS Expert
+Until IntelMQ version 3.2.0, the bot incorrectly cached and re-used results for /24 networks instead of single IP addresses.
+If the bot retrieved the PTR for `192.0.43.7`, it was cached for `192.0.43.0/24` and used for all IP addresses in this range, for example for `192.0.43.8`.
+IntelMQ version 3.2.1 fixes this issue.
+
+The bugfix will correctly increase the cache sizes and decrease the performance, as less (incorrect) data is re-used.
+
 ### Requirements
 
 ### Tools

diff --git a/intelmq/bots/experts/reverse_dns/expert.py b/intelmq/bots/experts/reverse_dns/expert.py
@@ -15,8 +15,6 @@
 from intelmq.lib.mixins import CacheMixin
 from intelmq.lib.utils import resolve_dns
 
-MINIMUM_BGP_PREFIX_IPV4 = 24
-MINIMUM_BGP_PREFIX_IPV6 = 128
 DNS_EXCEPTION_VALUE = "__dns-exception"
 
 
@@ -48,16 +46,9 @@ def process(self):
                 continue
 
             ip = event.get(ip_key)
-            ip_version = IPAddress.version(ip)
             ip_integer = IPAddress.to_int(ip)
 
-            if ip_version == 4:
-                minimum = MINIMUM_BGP_PREFIX_IPV4
-
-            elif ip_version == 6:
-                minimum = MINIMUM_BGP_PREFIX_IPV6
-
-            cache_key = bin(ip_integer)[2: minimum + 2]
+            cache_key = bin(ip_integer)[2:]
             cachevalue = self.cache_get(cache_key)
 
             result = None

diff --git a/intelmq/tests/bots/experts/reverse_dns/test_expert.py b/intelmq/tests/bots/experts/reverse_dns/test_expert.py
@@ -17,20 +17,20 @@
 EXAMPLE_OUTPUT = {"__type": "Event",
                   "source.ip": "192.0.43.7",
                   "source.reverse_dns": "icann.org",
-                  "destination.ip": "192.0.43.8",
-                  "destination.reverse_dns": "icann.org",
-                  # manual verification shows another result:
-                  # "destination.reverse_dns": "43-8.any.icann.org.",       # pretty weird!
+                  "destination.ip": "192.0.43.8",  # in the same /24 as source.ip, certtools/intelmq#2394
+                  "destination.reverse_dns": "43-8.any.icann.org",
                   "time.observation": "2015-01-01T00:00:00+00:00",
                   }
 EXAMPLE_INPUT6 = {"__type": "Event",
                   "source.ip": "2001:500:88:200::8",  # iana.org
                   "source.reverse_dns": "example.com",
                   "time.observation": "2015-01-01T00:00:00+00:00",
+                  "destination.ip": "2001:500:88:200::7",  # has no reverse record, certtools/intelmq#2394
                   }
 EXAMPLE_OUTPUT6 = {"__type": "Event",
                    "source.ip": "2001:500:88:200::8",
                    "source.reverse_dns": "iana.org",
+                   "destination.ip": "2001:500:88:200::7",
                    "time.observation": "2015-01-01T00:00:00+00:00",
                    }
 INVALID_PTR_INP2 = {"__type": "Event",