You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by "Jon Zeolla (JIRA)" <ji...@apache.org> on 2016/10/18 19:12:59 UTC

[jira] [Comment Edited] (METRON-507) Elasticsearch is incorrectly indexing the Bro DNS "answers" field

    [ https://issues.apache.org/jira/browse/METRON-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586376#comment-15586376 ] 

Jon Zeolla edited comment on METRON-507 at 10/18/16 7:12 PM:
-------------------------------------------------------------

You [beat me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915) to the PR.  I'm still not sure how to assign issues (i.e. this, METRON-508, etc.) to myself...


was (Author: zeolla@gmail.com):
You [beat me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915) to the PR.  I was trying to figure out how to assign this and METRON-508 to myself...

> Elasticsearch is incorrectly indexing the Bro DNS "answers" field
> -----------------------------------------------------------------
>
>                 Key: METRON-507
>                 URL: https://issues.apache.org/jira/browse/METRON-507
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Jon Zeolla
>             Fix For: 0.2.2BETA
>
>   Original Estimate: 10m
>  Remaining Estimate: 10m
>
> Currently the template provided to Elasticsearch for bro logs is assuming that it will get an ip address in the answers field of a Bro DNS log, however that is not always true.  Depending on the type of record being received, the contents could vary between IPs, domain names, or character strings.  Various RFCs outline this, however a good starting point is RFC 1035 section 3.3.  
> Example error:
> [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message [MapperParsingException[failed to parse [answers]]; nested: IllegalArgumentException[failed to parse ip [something.example.com], not a valid ip address];]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Re: [jira] [Comment Edited] (METRON-507) Elasticsearch is incorrectly indexing the Bro DNS "answers" field

Posted by "Zeolla@GMail.com" <ze...@gmail.com>.

Thanks James, now I can self-assign.  I will close 507 and work on 508
soon.  Thanks,

Jon

On Tue, Oct 18, 2016 at 3:15 PM James Sirota <js...@hortonworks.com>
wrote:

> Try now
>
>
>
>
> On 10/18/16, 12:12 PM, "Jon Zeolla (JIRA)" <ji...@apache.org> wrote:
>
> >
> >    [
> https://issues.apache.org/jira/browse/METRON-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586376#comment-15586376
> ]
> >
> >Jon Zeolla edited comment on METRON-507 at 10/18/16 7:12 PM:
> >-------------------------------------------------------------
> >
> >You [beat me](
> https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915)
> to the PR.  I'm still not sure how to assign issues (i.e. this, METRON-508,
> etc.) to myself...
> >
> >
> >was (Author: zeolla@gmail.com):
> >You [beat me](
> https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915)
> to the PR.  I was trying to figure out how to assign this and METRON-508 to
> myself...
> >
> >> Elasticsearch is incorrectly indexing the Bro DNS "answers" field
> >> -----------------------------------------------------------------
> >>
> >>                 Key: METRON-507
> >>                 URL: https://issues.apache.org/jira/browse/METRON-507
> >>             Project: Metron
> >>          Issue Type: Bug
> >>            Reporter: Jon Zeolla
> >>             Fix For: 0.2.2BETA
> >>
> >>   Original Estimate: 10m
> >>  Remaining Estimate: 10m
> >>
> >> Currently the template provided to Elasticsearch for bro logs is
> assuming that it will get an ip address in the answers field of a Bro DNS
> log, however that is not always true.  Depending on the type of record
> being received, the contents could vary between IPs, domain names, or
> character strings.  Various RFCs outline this, however a good starting
> point is RFC 1035 section 3.3.
> >> Example error:
> >> [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc],
> message [MapperParsingException[failed to parse [answers]]; nested:
> IllegalArgumentException[failed to parse ip [something.example.com], not
> a valid ip address];]
> >
> >
> >
> >--
> >This message was sent by Atlassian JIRA
> >(v6.3.4#6332)
> >
>
-- 

Jon

Re: [jira] [Comment Edited] (METRON-507) Elasticsearch is incorrectly indexing the Bro DNS "answers" field

Posted by James Sirota <js...@hortonworks.com>.

Try now




On 10/18/16, 12:12 PM, "Jon Zeolla (JIRA)" <ji...@apache.org> wrote:

>
>    [ https://issues.apache.org/jira/browse/METRON-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586376#comment-15586376 ] 
>
>Jon Zeolla edited comment on METRON-507 at 10/18/16 7:12 PM:
>-------------------------------------------------------------
>
>You [beat me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915) to the PR.  I'm still not sure how to assign issues (i.e. this, METRON-508, etc.) to myself...
>
>
>was (Author: zeolla@gmail.com):
>You [beat me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915) to the PR.  I was trying to figure out how to assign this and METRON-508 to myself...
>
>> Elasticsearch is incorrectly indexing the Bro DNS "answers" field
>> -----------------------------------------------------------------
>>
>>                 Key: METRON-507
>>                 URL: https://issues.apache.org/jira/browse/METRON-507
>>             Project: Metron
>>          Issue Type: Bug
>>            Reporter: Jon Zeolla
>>             Fix For: 0.2.2BETA
>>
>>   Original Estimate: 10m
>>  Remaining Estimate: 10m
>>
>> Currently the template provided to Elasticsearch for bro logs is assuming that it will get an ip address in the answers field of a Bro DNS log, however that is not always true.  Depending on the type of record being received, the contents could vary between IPs, domain names, or character strings.  Various RFCs outline this, however a good starting point is RFC 1035 section 3.3.  
>> Example error:
>> [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message [MapperParsingException[failed to parse [answers]]; nested: IllegalArgumentException[failed to parse ip [something.example.com], not a valid ip address];]
>
>
>
>--
>This message was sent by Atlassian JIRA
>(v6.3.4#6332)
>