graylog-plugin-threatintel icon indicating copy to clipboard operation
graylog-plugin-threatintel copied to clipboard
verified publisher icon Graylog2

Improve WHOIS adapter handling of multiple results

Open waab76 opened this issue 5 years ago • 0 comments

Currently, when ARIN has multiple results for an IP address, the WHOIS data adapter fails to return data. Sample IPs that demonstrate this include 24.255.164.88, 65.118.97.162, and 68.110.253.17

In each of these cases, ARIN has multiple records with different Network Type values. We want to update the WHOIS plugin to better handle these cases and return the data from the most specific record. The preference order for Network Types will be:

  1. Reassigned
  2. Direct Assignment
  3. Direct Allocation
  4. Reallocated

Input Criteria

  • [x] WHOIS data adapter works

Output Criteria

  • [x] When a single record is present, data adapter returns data for that record
  • [x] When multiple records are present, data adapter returns data for the record with the most preferred Network Type
  • [ ] Fix backported to 4.0
  • [ ] Fix backported to 3.3

Tasks

  • [x] Update ARIN parser to handle multiple records
  • [x] Write JUnit tests for behavior
  • [ ] Backport to 4.0
  • [ ] Backport to 3.3

waab76 avatar Nov 19 '20 14:11 waab76