Hi Jasmin,
Can you confirm what version of the email parsing script you're using? In the current version, v2.3.2, two regex patterns are used for IP Address parsing:
IPv4: (?:[\d]{1,3}\.){3}[\d]{1,3}
IPv6: ((?:(?:[A-Fa-f0-9]){0,4}:){1,7}(?:[A-Fa-f0-9]){1,4}(?:\\.[0-9]{1,3}){0,3})
In my tests, EventMap[.]ID:::xxx does not match either of these patterns. If the pattern was EventMap[.]ID:::0xxx, then, unfortunately, D:::0 would match. I found may IPv6 regex patterns on the internet. None worked for me as a simple substitution. But if you find one that works for you, the code to change looks like this:
def makeIPv6Pattern():
"""A method to return a pattern that will match IPv6 addresses.
The pattern will match strings of the form:
abcd:abcd:1234:abcd:abcd:abcd:abcd:abcd:abcd
abcd:abcd::abcd:abcd:abcd:abcd:abcd
abcd:abcd:abcd:abcd:abcd:abcd::abcd
::1
::ffff:192.0.1.1
but it will also match strings such as
16:38:37
This necessitates a second cleaning stage, performed by cleanIPv6().
"""
return "((?:(?:[A-Fa-f0-9]){0,4}:){1,7}(?:[A-Fa-f0-9]){1,4}(?:\\.[0-9]{1,3}){0,3})"
Regards,
Mark
------------------------------
Mark Scherfling
------------------------------
Original Message:
Sent: Fri February 23, 2024 07:25 AM
From: Jasmin
Subject: Email parsing script parses wrong strings as IP
Hi,
Email parsing script parses wrong strings as IP.
Reason : EventMap[.]ID:::xxx
The value for the artifact type IP Address is invalid: D:::xxx
Is there any way to fix this issue?
Best
------------------------------
Jasmin
------------------------------