python source code of ipFixup

MozDef-master
- meteor
  - .meteor
    - versions
    - .finished-upgraders
    - packages
    - release
    - platforms
    - .gitignore
    - .id
  - public
    - images
      - mozilla.svg
      - globe-loading.gif
      - mozilla-m.svg
      - favicon.ico
      - logo-elastic-kibana-dk.svg
    - fonts
      - glyphicons-halflings-regular.woff
      - glyphicons-halflings-regular.eot
      - glyphicons-halflings-regular.ttf
      - glyphicons-halflings-regular.svg
    - css
      - dropdowns.css
  - client
    - OrbitControls.js
    - eventdetails.html
    - blockIP.html
    - greeting.js
    - addwatchItem.html
    - fqdnBlocklistTable.html
    - mozdefhealth.js
    - addwatchItem.js
    - manageAlertsTable.html
    - ipwhois.js
    - preferences.html
    - investigationAdd.html
    - watchItem.html
    - themes
      - classic
        menu.html
      - none
        menu-start.css
        menu-start.html
      - side_nav_dark
        menu.html
    - fqdnBlocklistTable.js
    - investigationTable.html
    - alertdetails.html
    - main.js
    - manageAlertsTable.js
    - investigationEdit.html
    - preferences.js
    - watchlistTable.html
    - incidentsveris.js
    - null.html
    - incidentAdd.html
    - alertssummary.html
    - ipdshield.html
    - footer.html
    - incidentTable.html
    - alertTableItem.js
    - ipdshield.js
    - incidents.js
    - investigations.js
    - watchItem.js
    - mozdefhealth.html
    - menu.html
    - router.js
    - alertdetails.js
    - blockIP.js
    - incidentsveris.html
    - ipBlocklistTable.js
    - layout.js
    - watchlistTable.js
    - greeting.html
    - ipwhois.html
    - incidentEdit.html
    - mozdef.html
    - loading.html
    - blockFQDN.html
    - verisTags.html
    - ipBlocklistTable.html
    - about.html
    - alertsummary.js
    - mozdef.js
    - menu.js
    - blockFQDN.js
  - imports
    - themes
      - classic
        mozdef.css
      - side_nav_dark
        mozdef.css
        menu.js
      - light
        mozdef.css
      - dark
        mozdef.css
    - settings.js
    - collections.js
    - helpers.js
    - models.js
  - private
    - features.txt
    - verisc-enum.json
    - veris.dotformat.txt
  - package-lock.json
  - package.json
  - server
    - main.js
    - mozdef.js
    - methods.js
  - .gitignore
- cloudy_mozdef
  - aws_parameters.example.json
  - aws_parameters.example.sh
  - Makefile
  - cloudformation
    - mozdef-efs.yml
    - mozdef-vpc-flow-logs.yml
    - mozdef-security-group.yml
    - mozdef-cicd-codebuild.yml
    - mozdef-alert-developer.yml
    - base-iam.yml
    - mozdef-mq.yml
    - mozdef-vpc.yml
    - mozdef-es.yml
    - mozdef-parent-reinforce.yml
    - mozdef-credential-leak.yml
    - mozdef-sqs.yml
    - mozdef-instance.yml
    - mozdef-cloudtrail.yml
    - mozdef-parent.yml
  - buildspec.yml
  - experiments
    - alert-writer.yml
  - dmake
  - ci
    - deploy
    - bind_domain_name
    - pack_and_copy
    - docker_tag_or_push
    - publish_versioned_templates
  - lambda_layer
    - Makefile
    - build
      - .keep
      - .gitkeep
      - .gitignore
    - lambdalert.py
    - .gitignore
  - packer
    - packer.json
- alerts
  - session_opened_sensitive_user.py
  - write_audit.conf
  - proxy_exfil_domains.conf
  - session_invalidation.py
  - deadman.py
  - deadman_generic.json
  - ssh_bruteforce_bro.conf
  - ssl_blacklist_hit.py
  - write_audit.py
  - fxa_alerts.py
  - nsm_scan_port.py
  - proxy_drop_ip.py
  - nsm_scan_random.py
  - bugzilla_auth_bruteforce.conf
  - duo_authfail.py
  - generic_alert_loader.py
  - nsm_scan_port.json
  - ssh_access_signreleng.py
  - ssh_lateral.json
  - alert_actions_worker.conf
  - actions
    - triage_bot.json
    - block_ip.conf
    - pagerduty.py
    - triage_bot.py
    - pagerduty.json
    - __init__.py
    - block_ip.py
  - generic_alert_loader.conf
  - geomodel
    - config.py
    - locality.py
    - factors.py
    - alert.py
    - __init__.py
    - execution.py
  - nsm_scan_address.py
  - proxy_exfil_domains.py
  - multiple_intel_hits.py
  - ssh_access_signreleng.json
  - bruteforce_ssh.conf
  - cloudtrail_logging_disabled.py
  - lib
    - celery_scheduler
      - periodic_task.py
      - alert_schedule_entry.py
      - LICENSE
      - celery_rest_client.py
      - celery_config.py
      - __init__.py
      - alerts_scheduler.py
    - alerttask.py
    - config.py
    - deadman_alerttask.py
    - tasks.py
    - __init__.py
    - alert_plugin_set.py
  - http_errors.py
  - geomodel_location.py
  - plugins
    - ip_source_enrichment.py
    - port_scan_enrichment.json
    - possible_usernames.py
    - vpn_assignment.json
    - possible_usernames.json
    - geomodel_ipintel_enrichment.json
    - vpn_assignment.py
    - dhcp_assignment.json
    - geomodel_ipintel_enrichment.py
    - ip_source_enrichment.json
    - __init__.py
    - ipaddr.py
    - dhcp_assignment.py
    - port_scan_enrichment.py
  - old_events.py
  - critical_users.json
  - supervisord_alerts.ini
  - promisc_audit.py
  - http_auth_bruteforce.py
  - duo_fail_open.py
  - ldap_bruteforce_user.py
  - proxy_drop_executable.py
  - ldap_group.py
  - proxy_drop_ip.conf
  - http_auth_bruteforce.conf
  - get_watchlist.conf
  - ssh_access.py
  - bruteforce_ssh.py
  - proxy_drop_non_standard_port.conf
  - ssh_lateral.py
  - guard_duty_probe.py
  - alert_template.template
  - vpn_duo_auth_failures.py
  - http_errors.conf
  - ssh_bruteforce_bro.py
  - __init__.py
  - duo_authfail.conf
  - deadman_generic.py
  - nsm_scan_address.json
  - ldap_add.py
  - trace_audit.conf
  - ldap_bruteforce_user.conf
  - ssh_access.json
  - nsm_scan_random.json
  - get_watchlist.py
  - bugzilla_auth_bruteforce.py
  - proxy_drop_non_standard_port.py
  - geomodel_location.json
  - alert_actions_worker.py
  - ldap_delete.py
  - proxy_drop_executable.conf
  - deadman.conf
  - auditd_sftp.py
  - ldap_lockout.py
  - alert_actions.ini
  - trace_audit.py
  - promisc_kernel.py
- Makefile
- mq
  - esworker_papertrail.py
  - esworker_sqs.py
  - esworker_pubsub.conf
  - esworker_papertrail.conf
  - lib
    - plugins.py
    - sqs.py
    - aws.py
    - __init__.py
  - plugins
    - squidFixup.py
    - github_webhooks.py
    - triage_bot.json
    - stackdriver_gceactivity.yml
    - vulnerability.py
    - sshdFindIP.py
    - lower_keys.py
    - ttl_auditd.py
    - zoom_fixup.py
    - observium.py
    - fxaFixup.py
    - netflowFixup.py
    - nagioshostname.py
    - stackdriver_gceactivity.py
    - customDocType.py
    - stackdriver_syslog.py
    - github_mapping.yml
    - dropMessage.py
    - stackdriver_audit.yml
    - cloudtrail.py
    - ipFixup.py
    - mozilla_location.conf
    - broFixup.py
    - triage_bot.py
    - snmptt.py
    - guardduty_mapping.yml
    - ldap_fixup.py
    - suricataFixup.py
    - filterlog.py
    - geoip.py
    - large_strings.py
    - complianceitems.py
    - mozilla_location.py
    - stackdriver_audit.py
    - stackdriver.py
    - auditdFixup.py
    - __init__.py
    - zoom_mapping.yml
    - guardDuty.py
    - googleFixup.py
    - rt_flow.py
    - stackdriver_mapping.yml
    - parse_su.py
    - parse_sshd.py
  - esworker_eventtask.py
  - esworker_sns_sqs.py
  - esworker_sns_sqs.conf
  - esworker_guardduty.py
  - esworker_pubsub.py
  - __init__.py
  - esworker_cloudtrail.py
  - esworker_sqs.conf
  - eventtask.ini
  - esworker_cloudtrail.conf
  - esworker_eventtask.conf
- loginput
  - index.py
  - loginput.ini
  - index.conf
  - __init__.py
- systemdfiles
  - web
    - mozdefweb.service
    - mozdefrestapi.service
  - alert
    - mozdefbot.service
    - mozdefalerts.service
    - mozdefalertactions.service
  - consumer
    - mozdefloginput.service
    - mworker-eventtask.service
- mozdef_util
  - Makefile
  - mozdef_util
    - state.py
    - geo_ip.py
    - query_models
      - subnet_match.py
      - boolean_match.py
      - wildcard_match.py
      - aggregated_results.py
      - simple_results.py
      - range_match.py
      - search_query.py
      - less_than_match.py
      - aggregation.py
      - terms_match.py
      - term_match.py
      - __init__.py
      - exists_match.py
      - phrase_match.py
      - query_string_match.py
    - bulk_queue.py
    - event.py
    - __init__.py
    - elasticsearch_client.py
    - plugin_set.py
    - utilities
      - remove_at.py
      - toUTC.py
      - dict2List.py
      - dot_dict.py
      - is_cef.py
      - is_ip.py
      - logger.py
      - key_exists.py
      - __init__.py
      - to_unicode.py
  - LICENSE
  - README.rst
  - setup.py
  - HISTORY.rst
  - .gitignore
  - MANIFEST.in
  - requirements_dev.txt
- cron
  - uptycs_alertpull.sh
  - duo_logpull.py
  - mozdefStateDefaultMappingTemplate.json
  - okta2mozdef.py
  - triage_bot.json
  - healthToMongo.conf
  - closeIndices.conf
  - healthAndStatus.conf
  - createFQDNBlockList.sh
  - sqs_queue_status.sh
  - syncAlertsToMongo.sh
  - eventStats.sh
  - duo_logpull.sh
  - update_ipintel.json
  - healthToMongo.py
  - google2mozdef.py
  - update_geolite_db.sh
  - pruneIndexes.sh
  - esCacheMaint.sh
  - eventStats.py
  - update_ipintel.py
  - uptycs_alertpull.conf
  - uptycs_apikey.json
  - backupSnapshot.sh
  - esCacheMaint.py
  - update_ip_list.sh
  - uptycs_alertpull.py
  - syncAlertsToMongo.conf
  - closeIndices.sh
  - update_generic_alerts.conf
  - auth02mozdef.py
  - triage_bot.py
  - okta2mozdef.conf
  - update_generic_alerts.sh
  - okta2mozdef.sh
  - rotateIndexes.conf
  - pruneIndexes.py
  - verify_event_fields.conf
  - pruneIndexes.conf
  - backupSnapshot.py
  - sqs_queue_status.py
  - triage_bot.sh
  - google2mozdef.conf
  - healthAndStatus.sh
  - closeIndices.py
  - defaultMappingTemplate.json
  - esCacheMaint.conf
  - createFDQNBlockList.py
  - createIPBlockList.conf
  - google2mozdef.sh
  - update_ip_list.conf
  - update_generic_alerts.py
  - rotateIndexes.sh
  - healthAndStatus.py
  - createIPBlockList.sh
  - auth02mozdef.json
  - update_ipintel.sh
  - cronic
  - syncAlertsToMongo.py
  - update_ip_list.py
  - eventStats.conf
  - backupSnapshot.conf
  - verify_event_fields.sh
  - createFQDNBlockList.conf
  - mozdefGoogleCredentials.json
  - auth02mozdef.sh
  - createIPBlockList.py
  - rotateIndexes.py
  - update_geolite_db.py
  - duo_logpull.conf
  - healthToMongo.sh
  - sqs_queue_status.conf
  - update_geolite_db.conf
  - verify_event_fields.py
- LICENSE
- CONTRIBUTING.md
- .flake8
- config
  - logrotate-nginx
  - logrotate-mozdef
  - logrotate-supervisord
  - nginx.conf
  - mongod.conf
  - 50-mozdef-filter.conf
  - logrotate-mongod
- CHANGELOG.md
- docker
  - builder
    - Makefile
    - requirements.txt
    - Dockerfile
  - compose
    - nginx
      - files
        nginx.conf
      - Dockerfile
    - mozdef_cognito_proxy
      - files
        default.conf
        nginx.conf
      - README.md
      - Dockerfile
    - docker-compose-tests.yml
    - dev-cron.yml
    - rabbitmq
      - files
        enabled_plugins
        erlang.repo
        rabbitmq-server.repo
        rabbitmq.config
      - Dockerfile
    - dev-docs.yml
    - elasticsearch
      - files
        jvm.options
        elasticsearch.yml
      - Dockerfile
    - mozdef_loginput
      - files
        index.conf
      - Dockerfile
    - mozdef_sampledata
      - Dockerfile
    - mozdef_mq_worker
      - files
        esworker_eventtask.conf
      - Dockerfile
    - mozdef_syslog
      - files
        syslog-ng.conf
        syslog-ng.repo
      - Dockerfile
    - docker-compose-user-env.yml
    - kibana
      - files
        kibana.yml
      - Dockerfile
    - dev-rest.yml
    - tester
      - files
        tests_config.conf
        rest_index.conf
        loginput_index.conf
      - Dockerfile
    - dev-alerts.yml
    - mozdef_bot
      - files
        mozdefbot.conf
      - Dockerfile
    - mozdef_alerts
      - files
        config.py
        get_watchlist.conf
      - Dockerfile
    - mozdef_alertactions
      - files
        alert_actions_worker.conf
      - Dockerfile
    - docker-compose-cloudy-mozdef.yml
    - dev-meteor.yml
    - mozdef_base
      - Dockerfile
    - mozdef_cron
      - files
        healthToMongo.conf
        healthAndStatus.conf
        launch_cron
        syncAlertsToMongo.conf
        rotateIndexes.conf
        cron_entries.txt
        pruneIndexes.conf
        eventStats.conf
      - Dockerfile
    - mozdef_meteor
      - files
        settings.js
      - Dockerfile
    - mongodb
      - files
        mongod.conf
      - Dockerfile
    - mozdef_rest
      - files
        index.conf
      - Dockerfile
    - docker-compose.yml
    - dev-sampledata.yml
    - mozdef_bootstrap
      - Dockerfile
- .travis.yml
- README.md
- tests
  - alerts
    - test_nsm_scan_random.py
    - test_cloudtrail_logging_disabled.py
    - test_promisc_kernel.py
    - test_ldap_delete.py
    - test_session_opened_sensitive_user.py
    - test_ssh_lateral.py
    - actions
      - test_triage_bot.py
    - alert_test_case.py
    - geomodel
      - test_alert.py
      - test_factors.py
      - test_locality.py
    - test_geomodel_location.py
    - test_write_audit.py
    - test_nsm_scan_port.py
    - test_guard_duty_probe.py
    - test_ldap_add.py
    - test_session_invalidation.py
    - test_ssh_access.py
    - test_trace_audit.py
    - lib
      - celery_scheduler
        test_periodic_task.py
      - test_alerttask.py
    - test_proxy_drop_ip.py
    - test_proxy_drop_executable.py
    - plugins
      - test_geomodel_ipintel_enrichment.py
      - test_vpn_assignment.py
      - test_port_scan_enrichment.py
      - test_ip_source_enrichment.py
      - test_possible_usernames.py
      - test_dhcp_assignment.py
    - alert_test_suite.py
    - test_alert_template.template
    - test_nsm_scan_address.py
    - test_promisc_audit.py
    - test_duo_fail_open.py
    - test_ldap_bruteforce_user.py
    - test_duo_authfail.py
    - test_deadman_generic.py
    - test_deadman.py
    - __init__.py
    - test_ssh_access_signreleng.py
    - test_ldap_group.py
    - positive_alert_test_case.py
    - test_bruteforce_ssh.py
    - test_proxy_exfil_domains.py
    - test_proxy_drop_non_standard_port.py
    - conftest.py
    - negative_alert_test_case.py
    - test_old_events.py
  - mq
    - test_esworker_sns_sqs.py
    - plugins
      - test_parse_sshd.py
      - test_stackdriver.py
      - test_guardduty.py
      - test_stackdriver_audit.py
      - test_large_strings.py
      - test_triage_bot.py
      - test_stackdriver_gceactivity.py
      - test_ldap_fixup.py
      - test_zoom_fixup.py
      - test_filterlog.py
      - test_broFixup.py
      - test_squidFixup.py
      - __init__.py
      - test_parse_su.py
      - test_cloudtrail.py
      - test_vulnerability.py
      - test_stackdriver_syslog.py
      - test_suricataFixup.py
      - test_lower_keys.py
    - __init__.py
    - test_esworker_eventtask.py
  - requirements_tests.txt
  - loginput
    - loginput_test_suite.py
    - index.conf
    - test_loginput_index.py
    - __init__.py
  - unit_test_suite.py
  - mozdef_util
    - states
      - example_state.json
      - malformed_state.json
    - test_state.py
    - query_models
      - test_search_query.py
      - test_range_match.py
      - test_wildcard_match.py
      - test_phrase_match.py
      - test_exists_match.py
      - query_test_suite.py
      - test_term_match.py
      - positive_test_suite.py
      - test_subnet_match.py
      - test_less_than_match.py
      - test_aggregation.py
      - __init__.py
      - negative_test_suite.py
      - test_query_string_match.py
      - test_terms_match.py
    - test_bulk_queue.py
    - test_geo_ip.py
    - test_elasticsearch_client.py
    - test_plugin_set.py
    - test_event.py
    - test_plugins
      - plugin3.py
      - plugin6.py
      - plugin2.py
      - plugin5.py
      - plugin1.py
      - __init__.py
      - plugin7.py
      - plugin4.py
      - plugin8.py
    - utilities
      - test_toUTC.py
      - test_key_exists.py
      - test_dot_dict.py
      - test_dict2List.py
  - cron
    - test_auth02mozdef.py
  - http_test_suite.py
  - config.conf
  - __init__.py
  - pytest.ini
  - rest
    - rest_test_suite.py
    - test_rest_index.py
    - index.conf
    - __init__.py
    - ssh_dashboard.json
  - suite_helper.py
  - conftest.py
  - alert_templater.py
- CODE_OF_CONDUCT.md
- scripts
  - demo
    - populate_sample_events.sh
    - populate_sample_events.py
    - sample_events
      - alertcreating-bro-notice.json
      - events-auditd.json
      - alertcreating-fail2ban.json
      - events-logins-success.json
      - events-benign.json
      - events-logins-failure.json
      - events-cloudtrail.json
      - events-network.json
      - alertcreating-bruteforce-ssh.json
      - alertcreating-bro-intel.json
  - setup
    - example_resources
      - cloudtrail_events_dashboard.json
      - destinationip_bar_graph.json
      - cloudtrail_eventname_pie_graph.json
      - all_events_count.json
      - sourceip_bar_graph.json
      - cloudtrail_eventname_table.json
      - cloudtrail_user_identity_table.json
      - all_events_area.json
      - category_pie_graph.json
      - sample_dashboard.json
      - cloudtrail_events_line_graph.json
      - cloudtrail_total_event_count.json
      - cloudtrail_events_map.json
    - initial_setup.py
    - index_mappings
      - alerts.json
      - alerts-star.json
      - events-weekly.json
      - events.json
  - ingest
    - insert_elasticsearch.py
    - insert_rabbitmq.py
    - insert_sqs.py
    - insert_loginput.py
- requirements.txt
- rest
  - index.py
  - plugins
    - fqdnblocklist.conf
    - watchlist.conf
    - ipblocklist.conf
    - fqdnblocklist.py
    - watchlist.py
    - ipblocklist.py
    - __init__.py
  - index.conf
  - __init__.py
  - restapi.ini
- .gitignore
- docs
  - Makefile
  - source
    - mozdef_util.rst
    - reinvent_presentation.rst
    - geomodel
      - specifications
        v0_1.rst
      - changelog
        v0_2.rst
    - usage
      - web_interface.rst
      - sending_logs.rst
      - simple_test.rst
      - json_format.rst
    - code.rst
    - images
      - MozDefCloudArchitecture.xml
    - mozdef_util
      - match_query_classes.rst
      - create.rst
      - search.rst
      - connect.rst
    - usage.rst
    - introduction.rst
    - overview.rst
    - plugins.rst
    - contributors.rst
    - screenshots.rst
    - license.rst
    - cloud_deployment.rst
    - alert_development_guide.rst
    - references.rst
    - index.rst
    - conf.py
    - cicd.rst
    - actions.rst
    - _static
      - theme_overrides.css
    - installation.rst
    - tests.rst
    - installation
      - manual.rst
      - manual
        mozdef_services
        bot.rst
        mq_workers.rst
        cron.rst
        loginput.rst
        alerts.rst
        restapi.rst
        alertactions.rst
        web.rst
        initial_setup.rst
        external_services.rst
        mozdef_services.rst
        external_services
        kibana.rst
        mongodb.rst
        rabbitmq.rst
        nginx.rst
        elasticsearch.rst
      - docker.rst
    - development.rst
  - make.bat
  - build
    - .gitignore
  - requirements.txt
- static
  - ipblocklist.txt
- bot
  - slack
    - mozdefbot.py
    - mozdefbot.conf
    - mozdefbot.ini
    - commands
      - ip_whois.py
      - ip_info.py
      - __init__.py
      - roulette.py
    - slack_bot.py
    - bot_plugin_set.py
  - irc
    - mozdefbot.py
    - mozdefbot.conf
    - mozdefbot.ini
    - quotes.txt
    - requirements.txt
    - modules
      - zilla.py
      - __init__.py
      - roulette.py
  - README.md

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
# Copyright (c) 2014 Mozilla Corporation

import netaddr


def isIPv4(ip):
    try:
        return netaddr.valid_ipv4(ip)
    except:
        return False


def isIPv6(ip):
    try:
        return netaddr.valid_ipv6(ip)
    except:
        return False


def addError(message, error):
    '''add an error note to a message'''
    if 'errors' not in message:
        message['errors'] = list()
    if isinstance(message['errors'], list):
        message['errors'].append(error)


class message(object):
    def __init__(self):
        '''register our criteria for being passed a message
           as a list of lower case strings or values to match with an event's dictionary of keys or values
           set the priority if you have a preference for order of plugins to run.
           0 goes first, 100 is assumed/default if not sent
        '''
        # ask for anything that could house an IP address
        self.registration = ['sourceipaddress', 'destinationipaddress', 'src', 'dst', 'srcip', 'dstip', 'http_x_forwarded_for']
        self.priority = 15

    def onMessage(self, message, metadata):
        '''
        Examine possible ip addresses for the following:
          ipv6 in an ipv4 field
          ipv4 in another field
          '-' or other invalid ip in the ip field
        Also sets ipv4 in two fields:
            ipaddress (decimal mapping IP)
            ipv4address (string mapping)
            While the IP field-type serves for IPv4 or IPv6,
            it is not quite mature yet as kibana lacks filtering
            to differentiate between IPv4 and IPv6, so always
            having a string version is the most flexible option.
        '''

        if 'details' in message:
            # forwarded header can be spoofed, so try it first,
            # but override later if we've a better field.
            if 'http_x_forwarded_for' in message['details']:
                # should be a comma delimited list of ips with the original client listed first
                ipText = message['details']['http_x_forwarded_for'].split(',')[0]
                if isIPv4(ipText) and 'sourceipaddress' not in message['details']:
                    message['details']['sourceipaddress'] = ipText
                if isIPv4(ipText) and 'sourceipv4address' not in message['details']:
                    message['details']['sourceipv4address'] = ipText
                if isIPv6(ipText) and 'sourceipv6address' not in message['details']:
                    message['details']['sourceipv6address'] = ipText

            if 'sourceipaddress' in message['details']:
                ipText = message['details']['sourceipaddress']
                if isIPv6(ipText):
                    message['details']['sourceipv6address'] = ipText
                    message['details']['sourceipaddress'] = '0.0.0.0'
                    addError(message, 'plugin: {0} error: {1}'.format('ipFixUp.py', 'sourceipaddress is ipv6, moved'))
                elif isIPv4(ipText):
                    message['details']['sourceipv4address'] = ipText
                else:
                    # Smells like a hostname, let's save it as source field
                    message['details']['source'] = message['details']['sourceipaddress']
                    message['details']['sourceipaddress'] = None

            if 'destinationipaddress' in message['details']:
                ipText = message['details']['destinationipaddress']
                if isIPv6(ipText):
                    message['details']['destinationipv6address'] = ipText
                    message['details']['destinationipaddress'] = '0.0.0.0'
                    addError(message, 'plugin: {0} error: {1}'.format('ipFixUp.py', 'destinationipaddress is ipv6, moved'))
                elif isIPv4(ipText):
                    message['details']['destinationipv4address'] = ipText
                else:
                    # Smells like a hostname, let's save it as destination field
                    message['details']['destination'] = message['details']['destinationipaddress']
                    message['details']['destinationipaddress'] = None

            if 'src' in message['details']:
                ipText = message['details']['src']
                if isIPv4(ipText):
                    message['details']['sourceipaddress'] = ipText
                    message['details']['sourceipv4address'] = ipText
                if isIPv6(ipText):
                    message['details']['sourceipv6address'] = ipText

            if 'srcip' in message['details']:
                ipText = message['details']['srcip']
                if isIPv4(ipText):
                    message['details']['sourceipaddress'] = ipText
                    message['details']['sourceipv4address'] = ipText
                if isIPv6(ipText):
                    message['details']['sourceipv6address'] = ipText
            if 'dst' in message['details']:
                ipText = message['details']['dst']
                if isIPv4(ipText):
                    message['details']['destinationipaddress'] = ipText
                    message['details']['destinationipv4address'] = ipText
                if isIPv6(ipText):
                    message['details']['destinationipv6address'] = ipText

            if 'dstip' in message['details']:
                ipText = message['details']['dstip']
                if isIPv4(ipText):
                    message['details']['destinationipaddress'] = ipText
                    message['details']['destinationipv4address'] = ipText
                if isIPv6(ipText):
                    message['details']['destinationipv6address'] = ipText

            if 'cluster_client_ip' in message['details']:
                ipText = message['details']['cluster_client_ip']
                if isIPv4(ipText):
                    message['details']['sourceipaddress'] = ipText
                if isIPv6(ipText):
                    message['details']['sourceipv6address'] = ipText

        return (message, metadata)