[Intelmq-users] Reverse DNS Expert - unusual behavior
Tomislav Protega
tomislav.protega at cert.hr
Thu Dec 12 10:18:46 CET 2019
Hi,
recently I noticed that reverse DNS expert bot doesn't correctly apply
the reverse lookup results for IP. Meaning, the right value (result) is
not applied for the right JSON event. It's like it's skipping it and
then applies it to other event. There are no errors in log file for the bot.
For the illustration:
Let say that hostname for IP 1.1.1.1 is "xx.yyy.zz", but
instead the mentioned hostname becomes applied under wrong JSON event
for the IP which in real has no PTR record in DNS.
Of course, there are events which have applied right PTR record for the
IP, but in rare situations.
This case is not the issue with raw events which already contain
hostname in origin feed.
Anyone notice such behavor, or could take a look at already processed
data and see if the "source.reverse_dns" has right value applied against IP?
Regards,
--
Tomislav
More information about the Intelmq-users
mailing list