Analyzer Issue : Abuse_Finder

[jipidini]

Request Type

Analyzer

Work Environment

N/A

Question	Answer
OS version (server)	Ubuntu 16.04
OS version (client)	OSX
Cortex Analyzer Name	Abuse_Finder
Cortex Analyzer Version	2.0
Cortex Version	2.0.4
Browser type & version	Chrome

Description

Submitting a job using the using the Abuse_Finder analyzer

Steps to Reproduce

(keep this section only if the issue relates to a bug)

1. Logged In Cortex
2. + New Analysis
3. ip, 8.8.8.8, Abuse_Finder

Invalid output
/usr/local/lib/python2.7/dist-packages/ipwhois/net.py:138: UserWarning: allow_permutations has been deprecated and will be removed. It is no longer needed, due to the deprecation of asn_alts, and the addition of the asn_methods argument.
  warn('allow_permutations has been deprecated and will be removed. '
/usr/local/lib/python2.7/dist-packages/ipwhois/asn.py:178: UserWarning: IPASN._parse_fields_dns() has been deprecated and will be removed. You should now use IPASN.parse_fields_dns().
  warn('IPASN._parse_fields_dns() has been deprecated and will be '
Traceback (most recent call last):
  File "Abuse_Finder/abusefinder.py", line 44, in <module>
    AbuseFinderAnalyzer().run()
  File "Abuse_Finder/abusefinder.py", line 40, in run
    self.report({'abuse_finder': self.abuse()})
  File "Abuse_Finder/abusefinder.py", line 29, in abuse
    return ip_abuse(self.get_data())
  File "/usr/local/lib/python2.7/dist-packages/abuse_finder/ip.py", line 43, in ip_abuse
    results = obj.lookup_whois(inc_raw=True)
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/ipwhois.py", line 179, in lookup_whois
    field_list=field_list
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/whois.py", line 678, in lookup
    extra_blacklist=extra_blacklist
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/net.py", line 649, in get_whois
    server=server, port=port, extra_blacklist=extra_blacklist
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/net.py", line 649, in get_whois
    server=server, port=port, extra_blacklist=extra_blacklist
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/net.py", line 649, in get_whois
    server=server, port=port, extra_blacklist=extra_blacklist
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/net.py", line 655, in get_whois
    'WHOIS lookup failed for {0}.'.format(self.address_str)
ipwhois.exceptions.WhoisLookupError: WHOIS lookup failed for 8.8.8.8.

Possible Solutions

Still researching...

Complementary information

[saadkadhi]

Weird. I just did the same and it works perfectly:

[jipidini]

ok thanks! Weird indeed... I have built another instance on a different machine and get the same error:

Invalid output
/usr/local/lib/python2.7/dist-packages/ipwhois/net.py:138: UserWarning: allow_permutations has been deprecated and will be removed. It is no longer needed, due to the deprecation of asn_alts, and the addition of the asn_methods argument.
  warn('allow_permutations has been deprecated and will be removed. '
/usr/local/lib/python2.7/dist-packages/ipwhois/asn.py:178: UserWarning: IPASN._parse_fields_dns() has been deprecated and will be removed. You should now use IPASN.parse_fields_dns().
  warn('IPASN._parse_fields_dns() has been deprecated and will be '
Traceback (most recent call last):
  File "Abuse_Finder/abusefinder.py", line 44, in <module>
    AbuseFinderAnalyzer().run()
  File "Abuse_Finder/abusefinder.py", line 40, in run
    self.report({'abuse_finder': self.abuse()})
  File "Abuse_Finder/abusefinder.py", line 29, in abuse
    return ip_abuse(self.get_data())
  File "/usr/local/lib/python2.7/dist-packages/abuse_finder/ip.py", line 43, in ip_abuse
    results = obj.lookup_whois(inc_raw=True)
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/ipwhois.py", line 179, in lookup_whois
    field_list=field_list
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/whois.py", line 678, in lookup
    extra_blacklist=extra_blacklist
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/net.py", line 649, in get_whois
    server=server, port=port, extra_blacklist=extra_blacklist
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/net.py", line 649, in get_whois
    server=server, port=port, extra_blacklist=extra_blacklist
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/net.py", line 649, in get_whois
    server=server, port=port, extra_blacklist=extra_blacklist
  File "/usr/local/lib/python2.7/dist-packages/ipwhois/net.py", line 655, in get_whois
    'WHOIS lookup failed for {0}.'.format(self.address_str)
ipwhois.exceptions.WhoisLookupError: WHOIS lookup failed for 8.8.8.8.

[jeromeleonard]

Never got this message while running the analyzer. This seems to be related to a known issue in ipwhois lib used by abuse_finder library : secynic/ipwhois#203 .

I also made some tests and managed to get the error sometimes.

>>> from ipwhois import IPWhois
>>> obj = IPWhois('8.8.8.8')
/usr/local/lib/python2.7/site-packages/ipwhois/net.py:138: UserWarning: allow_permutations has been deprecated and will be removed. It is no longer needed, due to the deprecation of asn_alts, and the addition of the asn_methods argument.
  warn('allow_permutations has been deprecated and will be removed. '
>>> obj = IPWhois('8.8.8.8')
>>> obj = IPWhois('8.8.4.4')
>>>

[saadkadhi]

@jeromeleonard should we close this one or are you still looking into it?

[hermanmaleiane]

Hi @jeromeleonard and @saadkadhi!!!
I have this issue using Abuse_Finder 3 docker neurons.
How can i fix this?