Tail regex is capturing IPs that start with a 0 causing HTTP 500 errors

Question

Tail regex is capturing IPs that start with a 0 causing HTTP 500 errors

Obsecurus opened this issue 3 years ago · comments

IPs starting with `0 with more than one digit in the first octet are incorrectly handled by the iputil module and then passed to GreyNoise which results in an HTTP 500.

Matt Lehman · Answer 1 · Mon Jan 25 2021 13:51:20 GMT+0800 (China Standard Time)

See https://github.com/GreyNoise-Intelligence/greynoise-fluentbit-lua/blob/main/examples/parsers.conf#L4 but this should also be marked as an invalid IP in check_ip and never sent to the API.

Matt Lehman · Answer 2 · Mon Jan 25 2021 14:08:12 GMT+0800 (China Standard Time)

Fixed with: Regex /(?<host>(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/