Fix broken resolved ip in src field

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 3.2.1
+
+- Fixed resolving of IP addresses in src field.
+  (Thanks to Martin Wright for reporting this issue)
+
 ## 3.2.0
 
 - Added support for Splunk 8.x and Python 3.x

README.md

@@ -305,7 +305,7 @@ If you want to reindex an entire mailbox, you can do so by deleting the TA-dmarc
 ```
 |inputlookup ta_dmarc_checkpointer_lookup
 |search state!="*input=dmarc_imap, server=imap.gmail.com*"
-|outputlookup ta_dmarc_checkpointer_lookup`
+|outputlookup ta_dmarc_checkpointer_lookup
 ```
 
 If you want to reindex a single DMARC report, you can do so by deleting its corresponding record from KVstore:
@@ -334,6 +334,7 @@ This add-on is maintained by Jorrit Folmer. These people and organisations have
 
 - Christopher G Andrews (ChristopherGAndrews)
 - John (john-9c54a80b)
+- Martin Wright
 - Mike Kolk
 - Samuel Haper (sharperer)
 - Steve Myers (stmyers)

app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "TA-dmarc",
-      "version": "3.2.0"
+      "version": "3.2.1"
     },
     "author": [
       {

bin/dmarc/dir2splunk.py

@@ -245,19 +245,27 @@ def rua2json(self, xmldata, validation_result=[]):
         for record in records:
             data_ip = record.findtext('row/source_ip')
             row_tag = record.find("row")
+            record = yahoo.data(record)
+            record = self.dict2lower(record)
             if self.do_resolve:
                 try:
                     self.helper.log_debug("rua2json: resolving %s" % data_ip)
                     resolve = socket.gethostbyaddr(data_ip)
-                    backresolve = socket.gethostbyname_ex(resolve[0])
-                    if data_ip == backresolve[2][0]:
-                        # Add resolved ip to row
-                        ip_resolution = etree.SubElement(row_tag, "ip_resolution")
-                        ip_resolution.text = resolve[0]
                 except Exception:
                     self.helper.log_debug("rua2json: failed to resolve %s" % data_ip)
-            record = yahoo.data(record)
-            record = self.dict2lower(record)
+                else:
+                    try:
+                        self.helper.log_debug("rua2json: backresolving %s" % resolve[0])
+                        backresolve = socket.gethostbyname_ex(resolve[0])
+                    except Exception:
+                        self.helper.log_debug("rua2json: backresolving failed for %s" % resolve[0])
+                    else:
+                        if data_ip == backresolve[2][0]:
+                            # Add resolved ip to row
+                            self.helper.log_debug("rua2json: backresolving success: %s resolves to %s and back" % (data_ip, resolve[0]))
+                            record["record"]["row"]["ip_resolution"] = resolve[0]
+                        else:
+                            self.helper.log_debug("rua2json: backresolving failed: %s does NOT resolve to %s and back" % (data_ip, resolve[0]))
             feedback_list.append(record)
             # Aggregate report metadata, policy, record and xsd_validation
             result_dict.update(feedback_dict)

default/app.conf

@@ -7,7 +7,7 @@ build = 1
 
 [launcher]
 author = Jorrit Folmer
-version = 3.2.0
+version = 3.2.1
 description = TA-dmarc add-on for Splunk
 
 [ui]