You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Neha Sinha (JIRA)" <ji...@apache.org> on 2016/09/21 04:57:20 UTC
[jira] [Commented] (METRON-442) Incorrect/Approximated threat
triage level is set when the score is configured to some max value
[ https://issues.apache.org/jira/browse/METRON-442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15508748#comment-15508748 ]
Neha Sinha commented on METRON-442:
-----------------------------------
The content of enrichment json file in hadoop is this :-
Command :- hadoop fs -cat /apps/metron/enrichment/indexed/bro/enrichment-null-0-0-1471938799700.json
===============================================================================
{"adapter.threatinteladapter.end.ts":"1471939557742","bro_timestamp":"1.471939556638758E9","status_code":404,"ip_dst_port":80,"enrichmentsplitterbolt.splitter.end.ts":"1471939557740","enrichments.geo.ip_dst_addr.city":"Phoenix","enrichments.geo.ip_dst_addr.latitude":"33.4499","adapter.hostfromjsonlistadapter.end.ts":"1471939557741","enrichmentsplitterbolt.splitter.begin.ts":"1471939557740","enrichments.geo.ip_dst_addr.country":"US","enrichments.geo.ip_dst_addr.locID":"3886","adapter.geoadapter.begin.ts":"1471939557740","enrichments.geo.ip_dst_addr.postalCode":"85004","uid":"CgrsLeHSOZRGMJdSa","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:49199 status_code:404 method:POST request_body_len:96 id.resp_p:80 orig_mime_types:[\"text\\\/plain\"] uri:\/wp-content\/themes\/twentyfifteen\/img5.php?l=8r1gf1b2t1kuq42 tags:[] uid:CgrsLeHSOZRGMJdSa resp_mime_types:[\"text\\\/html\"] trans_depth:1 orig_fuids:[\"FlINOb2WXgQZh3YG0j\"] host:runlove.us status_msg:Not Found id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1.471939556638758E9 id.resp_h:204.152.254.221 resp_fuids:[\"F6LnXgRnQD51mbhfb\"]","ip_dst_addr":"204.152.254.221","threat.triage.level":9.223372036854776E18,"threatinteljoinbolt.joiner.ts":"1471939557742","enrichments.geo.ip_dst_addr.dmaCode":"753","host":"runlove.us","enrichmentjoinbolt.joiner.ts":"1471939557741","adapter.hostfromjsonlistadapter.begin.ts":"1471939557741","threatintelsplitterbolt.splitter.begin.ts":"1471939557741","enrichments.geo.ip_dst_addr.longitude":"-112.0712","ip_src_addr":"192.168.138.158","user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["F6LnXgRnQD51mbhfb"],"timestamp":1471939556638,"method":"POST","request_body_len":96,"is_alert":"true","orig_mime_types":["text\/plain"],"uri":"\/wp-content\/themes\/twentyfifteen\/img5.php?l=8r1gf1b2t1kuq42","source.type":"bro","tags":[],"adapter.geoadapter.end.ts":"1471939557740","adapter.threatinteladapter.begin.ts":"1471939557742","threatintelsplitterbolt.splitter.end.ts":"1471939557741","orig_fuids":["FlINOb2WXgQZh3YG0j"],"ip_src_port":49199,"enrichments.geo.ip_dst_addr.location_point":"33.4499,-112.0712","status_msg":"Not Found","response_body_len":357}
===============================================================================
Threat triage level :- "threat.triage.level":9.223372036854776E18
Note:-I tested the max value with Bro enrichment in this case.
> Incorrect/Approximated threat triage level is set when the score is configured to some max value
> ------------------------------------------------------------------------------------------------
>
> Key: METRON-442
> URL: https://issues.apache.org/jira/browse/METRON-442
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.2.2BETA
> Reporter: Neha Sinha
>
> Hi,
> I have specified the following threat config for snort sensor :-
> ========================================================
> "threatIntel" : {
> "triageConfig" : {
> "riskLevelRules" : {
> "not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24'))" : 9223372036854775807
> }
> }
> }
> =======================================================
> Expected threat.triage.level = 9223372036854775807
> Actual threat.triage.level = 9223372036854776000
> *Enrichments log*
> =======================================================
> 2016-08-22 09:42:57.509 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found sensor enrichment config.
> 2016-08-22 09:42:57.510 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found threat triage config: ThreatTriageConfig{riskLevelRules={not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24'))=9223372036854775807}, aggregator=MAX, aggregationConfig={}}
> 2016-08-22 09:42:57.510 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as triage level 9.223372036854776E18 with rules not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24'))=9223372036854775807
> 2016-08-22 09:42:57.510 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples2016-08-22 09:42:57.509 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found sensor enrichment config.
> 2016-08-22 09:42:57.510 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found threat triage config: ThreatTriageConfig{riskLevelRules={not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24'))=9223372036854775807}, aggregator=MAX, aggregationConfig={}}
> 2016-08-22 09:42:57.510 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as triage level 9.223372036854776E18 with rules not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24'))=9223372036854775807
> 2016-08-22 09:42:57.510 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples
> ========================================================
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)