IpInformer
This presentations goal it to introduce the features of the IpInformer and how to configure it.
The challenge
I want to enrich an event with additional information of ip_addresses
from this:
[7]:
document = {
'ip_addresses': [
"127.0.0.1",
"::1",
"192.168.178.54",
"10.10.0.2",
"fe80::b056:32ff:fe70:1f61"
]
}
to this:
[8]:
expected = {
"ip_addresses": {
"127.0.0.1": {
"compressed": "127.0.0.1",
"exploded": "127.0.0.1",
"is_global": False,
"is_link_local": False,
"is_loopback": True,
"is_multicast": False,
"is_private": True,
"is_reserved": False,
"is_unspecified": False,
"max_prefixlen": 32,
"reverse_pointer": "1.0.0.127.in-addr.arpa",
"version": 4
},
"::1": {
"compressed": "::1",
"exploded": "0000:0000:0000:0000:0000:0000:0000:0001",
"ipv4_mapped": None,
"is_global": False,
"is_link_local": False,
"is_loopback": True,
"is_multicast": False,
"is_private": True,
"is_reserved": True,
"is_site_local": False,
"is_unspecified": False,
"max_prefixlen": 128,
"reverse_pointer": "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa",
"scope_id": None,
"sixtofour": None,
"teredo": None,
"version": 6
},
"192.168.178.54": {
"compressed": "192.168.178.54",
"exploded": "192.168.178.54",
"is_global": False,
"is_link_local": False,
"is_loopback": False,
"is_multicast": False,
"is_private": True,
"is_reserved": False,
"is_unspecified": False,
"max_prefixlen": 32,
"reverse_pointer": "54.178.168.192.in-addr.arpa",
"version": 4
},
"10.10.0.2": {
"compressed": "10.10.0.2",
"exploded": "10.10.0.2",
"is_global": False,
"is_link_local": False,
"is_loopback": False,
"is_multicast": False,
"is_private": True,
"is_reserved": False,
"is_unspecified": False,
"max_prefixlen": 32,
"reverse_pointer": "2.0.10.10.in-addr.arpa",
"version": 4
},
"fe80::b056:32ff:fe70:1f61": {
"compressed": "fe80::b056:32ff:fe70:1f61",
"exploded": "fe80:0000:0000:0000:b056:32ff:fe70:1f61",
"ipv4_mapped": None,
"is_global": False,
"is_link_local": True,
"is_loopback": False,
"is_multicast": False,
"is_private": True,
"is_reserved": False,
"is_site_local": False,
"is_unspecified": False,
"max_prefixlen": 128,
"reverse_pointer": "1.6.f.1.0.7.e.f.f.f.2.3.6.5.0.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"scope_id": None,
"sixtofour": None,
"teredo": None,
"version": 6
}
}
}
Create rule and processor
create the rule:
[9]:
import sys
sys.path.append("../../../../../")
from logprep.processor.ip_informer.rule import IpInformerRule
rule_definition = {
"filter": "ip_addresses",
"ip_informer": {
"source_fields": ["ip_addresses"],
"target_field": "ip_addresses",
"overwrite_target": True
}
}
rule = IpInformerRule.create_from_dict(rule_definition)
create the processor config:
[10]:
processor_config = {
"the_ip_informer_name":{
"type": "ip_informer",
"rules": [],
}
}
create the processor with the factory:
[11]:
from logging import getLogger
from logprep.factory import Factory
logger = getLogger()
ip_informer = Factory.create(processor_config)
ip_informer
[11]:
ip_informer
load the rule to the processor:
[12]:
ip_informer._rule_tree.add_rule(rule)
Process event
[13]:
import json
from copy import deepcopy
mydocument = deepcopy(document)
print(f"before: {json.dumps(mydocument, indent=2)}")
ip_informer.process(mydocument)
print(f"after: {json.dumps(mydocument, indent=2)}")
print(mydocument == expected)
before: {
"ip_addresses": [
"127.0.0.1",
"::1",
"192.168.178.54",
"10.10.0.2",
"fe80::b056:32ff:fe70:1f61"
]
}
after: {
"ip_addresses": {
"127.0.0.1": {
"compressed": "127.0.0.1",
"exploded": "127.0.0.1",
"is_global": false,
"is_link_local": false,
"is_loopback": true,
"is_multicast": false,
"is_private": true,
"is_reserved": false,
"is_unspecified": false,
"max_prefixlen": 32,
"reverse_pointer": "1.0.0.127.in-addr.arpa",
"version": 4
},
"::1": {
"compressed": "::1",
"exploded": "0000:0000:0000:0000:0000:0000:0000:0001",
"ipv4_mapped": null,
"is_global": false,
"is_link_local": false,
"is_loopback": true,
"is_multicast": false,
"is_private": true,
"is_reserved": true,
"is_site_local": false,
"is_unspecified": false,
"max_prefixlen": 128,
"reverse_pointer": "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa",
"scope_id": null,
"sixtofour": null,
"teredo": null,
"version": 6
},
"192.168.178.54": {
"compressed": "192.168.178.54",
"exploded": "192.168.178.54",
"is_global": false,
"is_link_local": false,
"is_loopback": false,
"is_multicast": false,
"is_private": true,
"is_reserved": false,
"is_unspecified": false,
"max_prefixlen": 32,
"reverse_pointer": "54.178.168.192.in-addr.arpa",
"version": 4
},
"10.10.0.2": {
"compressed": "10.10.0.2",
"exploded": "10.10.0.2",
"is_global": false,
"is_link_local": false,
"is_loopback": false,
"is_multicast": false,
"is_private": true,
"is_reserved": false,
"is_unspecified": false,
"max_prefixlen": 32,
"reverse_pointer": "2.0.10.10.in-addr.arpa",
"version": 4
},
"fe80::b056:32ff:fe70:1f61": {
"compressed": "fe80::b056:32ff:fe70:1f61",
"exploded": "fe80:0000:0000:0000:b056:32ff:fe70:1f61",
"ipv4_mapped": null,
"is_global": false,
"is_link_local": true,
"is_loopback": false,
"is_multicast": false,
"is_private": true,
"is_reserved": false,
"is_site_local": false,
"is_unspecified": false,
"max_prefixlen": 128,
"reverse_pointer": "1.6.f.1.0.7.e.f.f.f.2.3.6.5.0.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"scope_id": null,
"sixtofour": null,
"teredo": null,
"version": 6
}
}
}
True