You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Nick Allen (JIRA)" <ji...@apache.org> on 2016/10/11 20:59:21 UTC
[jira] [Commented] (METRON-403) Bro elasticsearch bulk index item
fails when DNS response includes CNAME
[ https://issues.apache.org/jira/browse/METRON-403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15566592#comment-15566592 ]
Nick Allen commented on METRON-403:
-----------------------------------
The template for the Bro index is constructed expecting that the 'answers' field is one or more IPv4 address. In the test data provided, this field contains both an IP address and a hostname.
This matches the Bro documentation for the field which indicates that this field is a vector of Strings. This can include an IPv4, IPv6 or a hostname.
https://www.bro.org/sphinx/scripts/base/protocols/dns/main.bro.html#type-DNS::Info
{code}
answers: vector of string &log &optional
The set of resource descriptions in the query answer.
{code}
> Bro elasticsearch bulk index item fails when DNS response includes CNAME
> ------------------------------------------------------------------------
>
> Key: METRON-403
> URL: https://issues.apache.org/jira/browse/METRON-403
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.2.2BETA
> Environment: 7 node Ambari 2.2 managinf HDP 2.4
> 4 Metron nodes
> Followed wiki "Metron Installation on an Ambari-Managed Cluster"
> Reporter: Andrew McKinney
> Assignee: Nick Allen
> Priority: Minor
> Labels: Bro, Indexing, newbie
>
> Querying CNAME records returns nested answers, e.g. fedora.aau.at.
> {noformat}
> ;; ANSWER SECTION:
> fedora.aau.at. 239 IN CNAME www-rpm.aau.at.
> www-rpm.aau.at. 149 IN A 143.205.180.155
> {noformat}
> This seems to get past the BasicBroParser but when it it comes to indexing, the bro es template expects type ip, not nested string/ip.
> {noformat}
> {
> "TTLs":[
> 445.0,
> 414.0
> ],
> "bro_timestamp":"1.472812583319753E9",
> "ip_dst_port":53,
> "threatinteljoinbolt:joiner:ts":"1472812589689",
> "rejected":false,
> "answers":[
> "www-rpm.aau.at",
> "143.205.180.155"
> ],
> "enrichmentsplitterbolt:splitter:begin:ts":"1472812589689",
> "enrichmentjoinbolt:joiner:ts":"1472812589689",
> "trans_id":802,
> "adapter:geoadapter:begin:ts":"1472812589689",
> "uid":"C6jPJB1uNqfcJmUPMd",
> "protocol":"dns",
> "source:type":"bro",
> "adapter:threatinteladapter:end:ts":"1472812589689",
> "original_string":"DNS | AA:false TTLs:[445.0,414.0] id.orig_p:47902 rejected:false id.resp_p:53 query:fedora.aau.at answers:[\"www-rpm.aau.at\",\"143.205.180.155\"] trans_id:802 rcode:0 rcode_name:NOERROR TC:false RA:true uid:C6jPJB1uNqfcJmUPMd RD:false proto:udp id.orig_h:10.150.194.160 Z:0 ts:1.472812583319753E9 id.resp_h:10.150.194.5",
> "ip_dst_addr":"10.150.194.5",
> "adapter:hostfromjsonlistadapter:end:ts":"1472812589689",
> "Z":0,
> "adapter:geoadapter:end:ts":"1472812589689",
> "ip_src_addr":"10.150.194.160",
> "threatintelsplitterbolt:splitter:end:ts":"1472812589689",
> "timestamp":1472812583319,
> "AA":false,
> "enrichmentsplitterbolt:splitter:end:ts":"1472812589689",
> "query":"fedora.aau.at",
> "rcode":0,
> "adapter:hostfromjsonlistadapter:begin:ts":"1472812589689",
> "rcode_name":"NOERROR",
> "TC":false,
> "RA":true,
> "RD":false,
> "ip_src_port":47902,
> "proto":"udp",
> "threatintelsplitterbolt:splitter:begin:ts":"1472812589689",
> "adapter:threatinteladapter:begin:ts":"1472812589689"
> }
> {noformat}
> throws
> {noformat}
> nested:IllegalArgumentException[
> failed to parse ip [
> www-rpm.aau.at
> ],
> not a valid ip address
> ];
> {noformat}
> from bro_index.template
> {noformat}
> {
> "answers": {
> "type": "ip"
> },
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)