From eaa8fb74355c7c3b8c829b5798901aee9f6d5f6b Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Fri, 11 Aug 2023 11:32:19 +0200 Subject: [PATCH] bug: fix reverse_dns expert caching fixes certtools/intelmq#2394 the bot incorrectly cached PTR records for /24 or /128 networks now the cache operates on single IP addresses --- CHANGELOG.md | 2 ++ NEWS.md | 7 +++++++ intelmq/bots/experts/reverse_dns/expert.py | 11 +---------- intelmq/tests/bots/experts/reverse_dns/test_expert.py | 8 ++++---- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bb81512c3..2f5e94e45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,8 @@ CHANGELOG #### Parsers #### Experts +- `intelmq.bots.experts.reverse_dns.expert`: + - Fix the cache key to not cache results for /24 (IPv4) and /128 (IPv6) networks but for single IP-Adresses (PR#2395 by Sebastian Wagner, fixes #2394). #### Outputs diff --git a/NEWS.md b/NEWS.md index 0ae6f6044..8aaa5916a 100644 --- a/NEWS.md +++ b/NEWS.md @@ -13,6 +13,13 @@ Please refer to the change log for a full list of changes. 3.2.1 Bugfix release (unreleased) --------------------------------- +### Reverse DNS Expert +Until IntelMQ version 3.2.0, the bot incorrectly cached and re-used results for /24 networks instead of single IP addresses. +If the bot retrieved the PTR for `192.0.43.7`, it was cached for `192.0.43.0/24` and used for all IP addresses in this range, for example for `192.0.43.8`. +IntelMQ version 3.2.1 fixes this issue. + +The bugfix will correctly increase the cache sizes and decrease the performance, as less (incorrect) data is re-used. + ### Requirements ### Tools diff --git a/intelmq/bots/experts/reverse_dns/expert.py b/intelmq/bots/experts/reverse_dns/expert.py index 058fa3f78..26587bbed 100644 --- a/intelmq/bots/experts/reverse_dns/expert.py +++ b/intelmq/bots/experts/reverse_dns/expert.py @@ -15,8 +15,6 @@ from intelmq.lib.mixins import CacheMixin from intelmq.lib.utils import resolve_dns -MINIMUM_BGP_PREFIX_IPV4 = 24 -MINIMUM_BGP_PREFIX_IPV6 = 128 DNS_EXCEPTION_VALUE = "__dns-exception" @@ -48,16 +46,9 @@ def process(self): continue ip = event.get(ip_key) - ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) - if ip_version == 4: - minimum = MINIMUM_BGP_PREFIX_IPV4 - - elif ip_version == 6: - minimum = MINIMUM_BGP_PREFIX_IPV6 - - cache_key = bin(ip_integer)[2: minimum + 2] + cache_key = bin(ip_integer)[2:] cachevalue = self.cache_get(cache_key) result = None diff --git a/intelmq/tests/bots/experts/reverse_dns/test_expert.py b/intelmq/tests/bots/experts/reverse_dns/test_expert.py index c7451226c..66bb1d906 100644 --- a/intelmq/tests/bots/experts/reverse_dns/test_expert.py +++ b/intelmq/tests/bots/experts/reverse_dns/test_expert.py @@ -17,20 +17,20 @@ EXAMPLE_OUTPUT = {"__type": "Event", "source.ip": "192.0.43.7", "source.reverse_dns": "icann.org", - "destination.ip": "192.0.43.8", - "destination.reverse_dns": "icann.org", - # manual verification shows another result: - # "destination.reverse_dns": "43-8.any.icann.org.", # pretty weird! + "destination.ip": "192.0.43.8", # in the same /24 as source.ip, certtools/intelmq#2394 + "destination.reverse_dns": "43-8.any.icann.org", "time.observation": "2015-01-01T00:00:00+00:00", } EXAMPLE_INPUT6 = {"__type": "Event", "source.ip": "2001:500:88:200::8", # iana.org "source.reverse_dns": "example.com", "time.observation": "2015-01-01T00:00:00+00:00", + "destination.ip": "2001:500:88:200::7", # has no reverse record, certtools/intelmq#2394 } EXAMPLE_OUTPUT6 = {"__type": "Event", "source.ip": "2001:500:88:200::8", "source.reverse_dns": "iana.org", + "destination.ip": "2001:500:88:200::7", "time.observation": "2015-01-01T00:00:00+00:00", } INVALID_PTR_INP2 = {"__type": "Event",