You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by "Otto Fowler (JIRA)" <ji...@apache.org> on 2016/10/26 03:55:58 UTC

[jira] [Commented] (METRON-515) Stellar IS_EMPTY() function does not work as expected

    [ https://issues.apache.org/jira/browse/METRON-515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15607318#comment-15607318 ] 

Otto Fowler commented on METRON-515:
------------------------------------

IS_EMPTY's parameters are STRING or COLLECTION.  How is the value getting passed?  If it is getting passed as 0/Integer(0) then it is going to default to returning true ( and I can reproduce this by writing new tests).  In this case the bug could be argued to be that the function doesn't error when passed in invalid parameter could it not?  At least as currently documented.

Do you have a sample data set?


> Stellar IS_EMPTY() function does not work as expected
> -----------------------------------------------------
>
>                 Key: METRON-515
>                 URL: https://issues.apache.org/jira/browse/METRON-515
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Ryan Merriman
>            Assignee: Ryan Merriman
>
> The "IS_EMPTY" Stellar function is not giving the correct result in some cases.  Consider the following enrichment config:
> {
>   "index": "bro",
>   "batchSize": 5,
>   "enrichment" : {
>     "fieldMap": {
>       "geo": ["ip_dst_addr", "ip_src_addr"],
>       "host": ["host"]
>     }
>   },
>   "threatIntel": {
>     "fieldMap": {
>       "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
>     },
>     "fieldToTypeMap": {
>       "ip_src_addr" : ["malicious_ip"],
>       "ip_dst_addr" : ["malicious_ip"]
> },
>     "triageConfig" : {
>       "riskLevelRules" : {
>         "exists(ip_dst_addr)" : 0.10,
>        	"IS_EMPTY(rcode)" : 0.91,
>        	"exists(ip_dst_port)" : 0.20,
>        	"exists(ip_src_port)" : 0.30000000000
>       },
>       "aggregator" : "MAX",
>        	"aggregationConfig":
>        	{
>        	"NEGATIVE_VALUES_TRUMP_CONF" : "false"
>        	}
>     }
>   }
> }
> When a message with "rcode" = 0 is sent through the enrichment topology, the function incorrectly returns true and sets the threat triage value to 0.91.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)