AbuseIPDB Enrichment Fix (Issue #30)
- Fixed hostname and usage_type mixing where the WAN IP's AbuseIPDB data (e.g. ISP hostname) was displayed on attacker log rows
- Log detail query now uses direction-aware field selection — inbound logs pull from src IP threats, outbound from dst, eliminating cross-contamination via COALESCE
- Manual enrichment endpoint rejects WAN/gateway IPs with HTTP 400, preventing future contamination
- Manual enrichment log patching split into two direction-aware passes (src and dst) instead of a single direction-blind UPDATE
- Blacklist import now filters out WAN/gateway IPs before inserting into ip_threats
upsert_threat()guard prevents WAN/gateway IPs from being stored as threats (defense-in-depth)- One-time migration repairs ~64k previously corrupted log rows by re-patching from the correct source IP's threat data
Key Files Modified
receiver/routes/logs.py— direction-aware CASE WHEN for all 7 abuse COALESCE fieldsreceiver/routes/abuseipdb.py— WAN IP rejection + two-pass direction-aware UPDATEreceiver/backfill.py— one-time repair migration for contaminated log rowsreceiver/blacklist.py— WAN/gateway IP filtering on blacklist importreceiver/db.py— upsert_threat guard + migration flag seed