You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@metron.apache.org by ce...@apache.org on 2016/06/16 18:51:31 UTC
incubator-metron git commit: METRON-231: Snort parser should throw
exception. This closes apache/incubator-metron#155
Repository: incubator-metron
Updated Branches:
refs/heads/master 916432c96 -> 0a3da362e
METRON-231: Snort parser should throw exception. This closes apache/incubator-metron#155
Project: http://git-wip-us.apache.org/repos/asf/incubator-metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-metron/commit/0a3da362
Tree: http://git-wip-us.apache.org/repos/asf/incubator-metron/tree/0a3da362
Diff: http://git-wip-us.apache.org/repos/asf/incubator-metron/diff/0a3da362
Branch: refs/heads/master
Commit: 0a3da362e1db942bcb93e40cf30012f10895609e
Parents: 916432c
Author: cstella <ce...@gmail.com>
Authored: Thu Jun 16 14:51:20 2016 -0400
Committer: cstella <ce...@gmail.com>
Committed: Thu Jun 16 14:51:20 2016 -0400
----------------------------------------------------------------------
.../metron/parsers/snort/BasicSnortParser.java | 7 +-
.../apache/metron/parsers/SnortParserTest.java | 74 ++++++++++++++++++++
2 files changed, 77 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/0a3da362/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java
index 1fcb6c4..f295d4c 100644
--- a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java
+++ b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java
@@ -119,10 +119,9 @@ public class BasicSnortParser extends BasicParser {
jsonMessage.put("is_alert", "true");
messages.add(jsonMessage);
} catch (Exception e) {
-
- _LOG.error("unable to parse message: " + rawMessage);
- e.printStackTrace();
- return null;
+ String message = "Unable to parse message: " + rawMessage;
+ _LOG.error(message, e);
+ throw new IllegalStateException(message, e);
}
return messages;
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/0a3da362/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/SnortParserTest.java
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/SnortParserTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/SnortParserTest.java
new file mode 100644
index 0000000..6d777aa
--- /dev/null
+++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/SnortParserTest.java
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.metron.parsers;
+
+import org.adrianwalker.multilinestring.Multiline;
+import org.apache.metron.parsers.snort.BasicSnortParser;
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.util.Map;
+
+public class SnortParserTest {
+ /**
+ 01/27-16:01:04.877970 ,129,12,1,"Consecutive TCP small segments exceeding threshold",TCP,10.0.2.2,56642,10.0.2.15,22,52:54:00:12:35:02,08:00:27:7F:93:2D,0x4E,***AP***,0x9AFF3D7,0xC8761D52,,0xFFFF,64,0,59677,64,65536,,,,
+ **/
+ @Multiline
+ public static String goodMessage;
+
+
+ @Test
+ public void testGoodMessage() {
+ BasicSnortParser parser = new BasicSnortParser();
+ Map out = parser.parse(goodMessage.getBytes()).get(0);
+ Assert.assertEquals(out.get("msg"),"\"Consecutive TCP small segments exceeding threshold\"");
+ Assert.assertEquals(out.get("sig_rev"), "1");
+ Assert.assertEquals(out.get("ip_dst_addr"), "10.0.2.15");
+ Assert.assertEquals(out.get("ip_dst_port"), "22");
+ Assert.assertEquals(out.get("ethsrc"), "52:54:00:12:35:02");
+ Assert.assertEquals(out.get("tcpseq"),"0x9AFF3D7");
+ Assert.assertEquals(out.get("dgmlen"), "64");
+ Assert.assertEquals(out.get("icmpid"), "");
+ Assert.assertEquals(out.get("tcplen"), "");
+ Assert.assertEquals(out.get("tcpwindow"), "0xFFFF");
+ Assert.assertEquals(out.get("icmpseq").toString().trim(), "");
+ Assert.assertEquals(out.get("tcpack"), "0xC8761D52");
+ Assert.assertEquals(out.get("icmpcode"), "");
+ Assert.assertEquals(out.get("tos"), "0");
+ Assert.assertEquals(out.get("id"), "59677");
+ Assert.assertEquals(out.get("ethdst"), "08:00:27:7F:93:2D");
+ Assert.assertEquals(out.get("ip_src_addr"), "10.0.2.2");
+ Assert.assertEquals(out.get("ttl"),"64");
+ Assert.assertEquals(out.get("ethlen"),"0x4E");
+ Assert.assertEquals(out.get("iplen"),"65536");
+ Assert.assertEquals(out.get("icmptype"),"");
+ Assert.assertEquals(out.get("protocol"),"TCP");
+ Assert.assertEquals(out.get("ip_src_port"),"56642");
+ Assert.assertEquals(out.get("tcpflags"),"***AP***");
+ Assert.assertEquals(out.get("sig_id"),"12");
+ Assert.assertEquals(out.get("sig_generator"), "129");
+ Assert.assertEquals(out.get("is_alert"), "true");
+ }
+
+ @Test(expected=IllegalStateException.class)
+ public void testBadMessage() {
+ BasicSnortParser parser = new BasicSnortParser();
+ parser.parse("foo bar".getBytes());
+ }
+}