Tail regex is capturing IPs that start with a 0 causing HTTP 500 errors
Obsecurus opened this issue · comments
Matt Lehman commented
IPs starting with `0 with more than one digit in the first octet are incorrectly handled by the iputil module and then passed to GreyNoise which results in an HTTP 500.
Matt Lehman commented
See https://github.com/GreyNoise-Intelligence/greynoise-fluentbit-lua/blob/main/examples/parsers.conf#L4 but this should also be marked as an invalid IP in check_ip
and never sent to the API.
Matt Lehman commented
Fixed with: Regex /(?<host>(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/