You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by "Ryan Merriman (JIRA)" <ji...@apache.org> on 2016/10/25 16:04:58 UTC

[jira] [Created] (METRON-515) Stellar IS_EMPTY() function does not work as expected

Ryan Merriman created METRON-515:
------------------------------------

             Summary: Stellar IS_EMPTY() function does not work as expected
                 Key: METRON-515
                 URL: https://issues.apache.org/jira/browse/METRON-515
             Project: Metron
          Issue Type: Bug
            Reporter: Ryan Merriman
            Assignee: Ryan Merriman


The "IS_EMPTY" Stellar function is not giving the correct result in some cases.  Consider the following enrichment config:

{
  "index": "bro",
  "batchSize": 5,
  "enrichment" : {
    "fieldMap": {
      "geo": ["ip_dst_addr", "ip_src_addr"],
      "host": ["host"]
    }
  },
  "threatIntel": {
    "fieldMap": {
      "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
    },
    "fieldToTypeMap": {
      "ip_src_addr" : ["malicious_ip"],
      "ip_dst_addr" : ["malicious_ip"]
},
    "triageConfig" : {
      "riskLevelRules" : {
        "exists(ip_dst_addr)" : 0.10,
       	"IS_EMPTY(rcode)" : 0.91,
       	"exists(ip_dst_port)" : 0.20,
       	"exists(ip_src_port)" : 0.30000000000
      },
      "aggregator" : "MAX",
       	"aggregationConfig":
       	{
       	"NEGATIVE_VALUES_TRUMP_CONF" : "false"
       	}
    }
  }
}

When a message with "rcode" = 0 is sent through the enrichment topology, the function incorrectly returns true and sets the threat triage value to 0.91.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)