You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by "Jon Zeolla (JIRA)" <ji...@apache.org> on 2016/10/18 18:17:58 UTC

[jira] [Created] (METRON-507) Elasticsearch is incorrectly indexing the Bro DNS "answers" field

Jon Zeolla created METRON-507:
---------------------------------

             Summary: Elasticsearch is incorrectly indexing the Bro DNS "answers" field
                 Key: METRON-507
                 URL: https://issues.apache.org/jira/browse/METRON-507
             Project: Metron
          Issue Type: Bug
            Reporter: Jon Zeolla
             Fix For: 0.2.2BETA


Currently the template provided to Elasticsearch for bro logs is assuming that it will get an ip address in the answers field of a Bro DNS log, however that is not always true.  Depending on the type of record being received, the contents could vary between IPs, domain names, or character strings.  Various RFCs outline this, however a good starting point is RFC 1035 section 3.3.  

Example error:
[1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message [MapperParsingException[failed to parse [answers]]; nested: IllegalArgumentException[failed to parse ip [something.example.com], not a valid ip address];]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)