You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Neha Sinha (JIRA)" <ji...@apache.org> on 2016/09/16 12:02:21 UTC

[jira] [Created] (METRON-425) Stellar transformation fails to handle special characters

Neha Sinha created METRON-425:
---------------------------------

             Summary: Stellar transformation fails to handle special characters
                 Key: METRON-425
                 URL: https://issues.apache.org/jira/browse/METRON-425
             Project: Metron
          Issue Type: Bug
            Reporter: Neha Sinha


I updated the snort parser file to have the following stellar transformation :-


PARSER Config: snort
{
  "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser",
  "sensorTopic":"snort",
  "parserConfig": {},
"fieldTransformations" : [
{
"transformation" : "STELLAR"
,"output" : [ "is_alert","newStellarField","isAlert"]
,"config" :
{ "is_alert" : "false",
"isAlert" : "false",
"newStellarField" : "<<??>>" }
}
]
}


I get the following exception/error for the snort logs :-


2016-09-13 11:30:32.765 o.a.m.p.BasicParser [TRACE] [Metron] Message conforms to schema: {"msg":"\"'snort test alert'\"","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0x5869E532","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xFA02","icmpseq":"","tcpack":"0x3E05E218","protocol":"TCP","ip_dst_addr":"72.34.49.86","original_string":"09\/13-11:30:25.703857 ,1,999158,0,\"'snort test alert'\",TCP,192.168.138.158,49204,72.34.49.86,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0x5869E532,0x3E05E218,,0xFA02,128,0,2508,40,40960,,,,","icmpcode":"","tos":"0","id":"2508","ip_src_addr":"192.168.138.158","timestamp":1473766928857,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49204","tcpflags":"***A****","sig_id":"999158","sig_generator":"1"}
2016-09-13 11:30:32.766 b.s.d.executor [ERROR] 
org.apache.metron.common.dsl.ParseException: Syntax error @ 1:0 no viable alternative at input '<'
	at org.apache.metron.common.dsl.ErrorListener.syntaxError(ErrorListener.java:34) ~[stormjar.jar:?]
	at org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65) ~[stormjar.jar:?]
	at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:558) ~[stormjar.jar:?]
	at org.antlr.v4.runtime.DefaultErrorStrategy.reportNoViableAlternative(DefaultErrorStrategy.java:310) ~[stormjar.jar:?]
	at org.antlr.v4.runtime.DefaultErrorStrategy.reportError(DefaultErrorStrategy.java:147) ~[stormjar.jar:?]
	at org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:300) ~[stormjar.jar:?]
	at org.apache.metron.common.stellar.generated.StellarParser.transformation(StellarParser.java:146) ~[stormjar.jar:?]
	at org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:92) ~[stormjar.jar:?]
	at org.apache.metron.common.field.transformation.StellarTransformation.map(StellarTransformation.java:46) ~[stormjar.jar:?]
	at org.apache.metron.common.configuration.FieldTransformer.transform(FieldTransformer.java:111) ~[stormjar.jar:?]
	at org.apache.metron.common.configuration.FieldTransformer.transformAndUpdate(FieldTransformer.java:123) ~[stormjar.jar:?]
	at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:125) [stormjar.jar:?]
	at backtype.storm.daemon.executor$fn__5492$tuple_action_fn__5494.invoke(executor.clj:684) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
	at backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
	at backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
	at backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
	at backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
	at backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
	at backtype.storm.daemon.executor$fn__5492$fn__5505$fn__5556.invoke(executor.clj:813) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
	at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
	at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
Caused by: org.antlr.v4.runtime.NoViableAltException
	at org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894) ~[stormjar.jar:?]
	at org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498) ~[stormjar.jar:?]
	at org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424) ~[stormjar.jar:?]
	at org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:251) ~[stormjar.jar:?]
	... 16 more







--
This message was sent by Atlassian JIRA
(v6.3.4#6332)