Invalid response received from module reversedns - Using "Enrich Event"

[eCrimeLabs]

Hey there,

Running latest version of the misp-modules and have updated all :)

Here is a sample MISP event to replicate misp.event.1788.json

First I mark all the IP's:

Then click on the "Enrich Event" and choose the "reversedns"

This results in this error:

2024-12-17 19:25:37 Error: [RuntimeException] Invalid response received from module reversedns, response data do not contains results field.
Request URL: /events/enrichEvent/1788
Stack Trace:
#0 /var/www/MISP/app/Model/Event.php(6301): Event->enrichment()
#1 /var/www/MISP/app/Controller/EventsController.php(5985): Event->enrichmentRouter()
#2 [internal function]: EventsController->enrichEvent()
#3 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs()
#4 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction()
#5 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke()
#6 /var/www/MISP/app/webroot/index.php(105): Dispatcher->dispatch()
#7 {main}

So the IP's it is hitting error on seems to be "8.8.1.1" that does not have a reverse DNS name to it if a normal nslookup returns

nslookup 8.8.1.1
** server can't find 1.1.8.8.in-addr.arpa: NXDOMAIN

The interesting part is that as far as I can see the code it looks to attempt to handle NXDOMAIN, but it must be the combination of attempting to enrich through "Enrich Event".

If I choose the "8.8.1.1" and click the "Add enrichment" it returns

[adulau]

Thanks for the issue. I found another issue in the modules about the missing ip attribute types. But it seems this issues came from the enrich event part in MISP. I was able to reproduce it with the dns module too. We will check on the MISP side.

[eCrimeLabs]

Hey @adulau,

Thanks, just wanted to follow-up have you created and issue in MISP project on this or was it a task on my todo list :)