whois_analyzer.py aktualisiert

whois_analyzer.py

@@ -34,7 +34,6 @@ class WhoisEnrichmentAnalyzer(interface.BaseAnalyzer):
         self.timeout = current_app.config.get('WHOIS_TIMEOUT', 10)
         
         self.whois_cache: Dict[str, Optional[Dict]] = {}
-        self.processed_ips: Set[str] = set()
     
     def _validate_ip(self, ip_address: str) -> bool:
         """Validate IP address."""
@@ -168,7 +167,7 @@ class WhoisEnrichmentAnalyzer(interface.BaseAnalyzer):
             for event in events:
                 events_processed += 1
                 
-                # Find first valid IP in this event
+                # Find first valid IP in this event and enrich it
                 for ip_field in self.IP_FIELDS:
                     ip_value = event.source.get(ip_field)
                     if not ip_value:
@@ -183,15 +182,13 @@ class WhoisEnrichmentAnalyzer(interface.BaseAnalyzer):
                         if not self._validate_ip(ip_str):
                             continue
                         
-                        if ip_str not in self.processed_ips:
+                        # Process EVERY IP, no duplicate checking
-                            self.processed_ips.add(ip_str)
+                        whois_data = self._get_whois_data(ip_str)  # Uses cache to avoid duplicate API calls
                         
-                            whois_data = self._get_whois_data(ip_str)
+                        if whois_data:
-                            
+                            self._enrich_event(event, ip_field, ip_str, whois_data)
-                            if whois_data:
+                            enriched_count += 1
-                                self._enrich_event(event, ip_field, ip_str, whois_data)
+                            break  # Only enrich first valid IP per event
-                                enriched_count += 1
-                                break
                 
                 # Rate limiting
                 if events_processed % self.batch_size == 0: