refactor:honeypot extraction using DB-driven exclusion. closes #631#670
Conversation
|
Hi @regulartim, Could you clarify the plan for setting up the initial honeypot exclusion list? Will it be handled via a migration file, raw SQL, the admin interface, or some other method? I want to make sure our implementation aligns with the intended workflow. |
regulartim
left a comment
There was a problem hiding this comment.
I think your approach makes matters more complicated than they were before: it has a cache that contains the not-normalized honeypot names as keys (they usually start with an upper case character) so your first cache lookup always fails and, in the next step, you write a cache entry for the normalized name. Am I right?
What do you think about only writing normalized keys to the cache? That would make things easier, right?
Yep, will write that into the issue. 👍 |
|
Is this ready to get reviewed again? |
Hi @regulartim, Yes, it’s ready for review again. I added a migration file for the initial honeypot setup. In the migration, I’m using a try/except (get → create) pattern intentionally, since it’s limited strictly to the migration and only used for the one-time initial setup. Runtime extraction now relies solely on the normalized cache, with no DB creation or fallback logic involved. Please let me know if you’d like any adjustments. |
|
Ah, I didn't notice it was ready. You can click "re-request review" next time, then that I get notified. I'll take a look now. |
regulartim
left a comment
There was a problem hiding this comment.
I seems like we are having some communication issues. If your not sure what to do, please thoroughly read the issue and the comments in the PR again. If you still have questions or things are unclear, please ask (in the issue or the PR, as you like).
regulartim
left a comment
There was a problem hiding this comment.
Looks good. Thanks for your work. One last thing that I am concerned about:
Say we have a honeypot named "Cowrie" in our database. Now for some odd reason we extract an event from T-Pot where the name of the honeypot is lower case "cowrie". What do you think would happen then? Can we cover this with one or more tests?
Thanks for the review! I’ve added three tests that together cover the case-insensitive handling of honeypot names:
I hope this tests satisfy the concern about case-insensitive extraction from T-Pot events. |
regulartim
left a comment
There was a problem hiding this comment.
We're getting close! 👍
|
Thanks for your work! :) As a follow up, would you like to open a new issue describing the problem of the not-normalized honeypot names in the DB and how to handle this? |
Thanks for the review and merge! |
Description
This PR refactors the
is_ready_for_extractionmethod to respect theGeneralHoneypot.activeflag, making honeypot exclusion fully database-driven. No honeypots are hardcoded, and no migrations were added as discussed previously.Changes
name__iexactfor case-insensitive DB lookup.active=True._honeypot_cacheto reflect the DBactivestate.active=False.Notes / Observations
_honeypot_cachealways uses normalized keys. If elsewhere the cache is populated with original casing, it could cause a cache miss and fallback to the DB. This was already the case before this change.GeneralHoneypot.namefield is not unique at the DB level. I didn’t change this, but we might consider adding a unique constraint. Am I missing anything here?Related issues
closes #631
Type of change
Please delete options that are not relevant.
Checklist
develop.Black,Flake,Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.Important Rules