You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Ryan Merriman (JIRA)" <ji...@apache.org> on 2016/10/25 16:04:58 UTC
[jira] [Created] (METRON-515) Stellar IS_EMPTY() function does not
work as expected
Ryan Merriman created METRON-515:
------------------------------------
Summary: Stellar IS_EMPTY() function does not work as expected
Key: METRON-515
URL: https://issues.apache.org/jira/browse/METRON-515
Project: Metron
Issue Type: Bug
Reporter: Ryan Merriman
Assignee: Ryan Merriman
The "IS_EMPTY" Stellar function is not giving the correct result in some cases. Consider the following enrichment config:
{
"index": "bro",
"batchSize": 5,
"enrichment" : {
"fieldMap": {
"geo": ["ip_dst_addr", "ip_src_addr"],
"host": ["host"]
}
},
"threatIntel": {
"fieldMap": {
"hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
},
"fieldToTypeMap": {
"ip_src_addr" : ["malicious_ip"],
"ip_dst_addr" : ["malicious_ip"]
},
"triageConfig" : {
"riskLevelRules" : {
"exists(ip_dst_addr)" : 0.10,
"IS_EMPTY(rcode)" : 0.91,
"exists(ip_dst_port)" : 0.20,
"exists(ip_src_port)" : 0.30000000000
},
"aggregator" : "MAX",
"aggregationConfig":
{
"NEGATIVE_VALUES_TRUMP_CONF" : "false"
}
}
}
}
When a message with "rcode" = 0 is sent through the enrichment topology, the function incorrectly returns true and sets the threat triage value to 0.91.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)