You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by mmiklavc <gi...@git.apache.org> on 2018/06/17 21:22:40 UTC
[GitHub] metron issue #1065: METRON-1620: Fixes for forensic clustering use case exam...
Github user mmiklavc commented on the issue:
https://github.com/apache/metron/pull/1065
**Testing**
You can run through the full use case, if desired. If you want the TL;DR version to verify the template command, run the command in the README for creating the ES template. Then do the following:
Make sure you have at least 1 other sensor with data, e.g. Bro. In full dev you should be set, otherwise cat data from our unit tests (https://github.com/apache/metron/blob/master/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput) into the `bro` Kafka topic and make sure the bro topology is running.
e.g.
```
wget https://github.com/apache/metron/raw/master/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput -O ~/sample-bro.json
cat ~/sample-bro.json | /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list $BROKERLIST --topic bro
```
Next, check the template was loaded correctly:
```
curl -XGET $ES_HOST'/_template/cowrie_index?pretty=true'
```
Then load the following into ES:
```
curl -XPUT $ES_HOST'/cowrie_index_1/cowrie_doc/1' -H 'Content-Type: application/json' -d'
{
"eventid" : "cowrie.command.input",
"adapter:stellaradapter:end:ts" : "1529268179998",
"threatinteljoinbolt:joiner:ts" : "1529268180010",
"session" : "4c047bbc016c",
"threat:triage:rules:0:comment" : "Determine if a host is blacklisted",
"enrichmentsplitterbolt:splitter:begin:ts" : "1529268179997",
"enrichmentjoinbolt:joiner:ts" : "1529268180002",
"threat:triage:rules:0:name" : "Blacklisted Host",
"src_ip" : "94.51.110.74",
"source:type" : "cowrie",
"isError" : 0,
"original_string" : "{\"src_ip\":\"94.51.110.74\",\"eventid\":\"cowrie.command.input\",\"input\":\"\\/bin\\/busybox XUSRH\",\"system\":\"CowrieTelnetTransport,93,94.51.110.74\",\"isError\":0,\"session\":\"4c047bbc016c\",\"sensor\":\"a927e8b28666\",\"message\":\"CMD: \\/bin\\/busybox XUSRH\",\"timestamp\":\"2017-09-17T04:06:40.419195Z\"}",
"threatintelsplitterbolt:splitter:end:ts" : "1529268180004",
"similarity_bin" : "166524",
"threat:triage:rules:0:score" : 10,
"timestamp" : 1505621619195,
"threat:triage:rules:0:reason" : "IP 94.51.110.74 is blacklisted",
"enrichmentsplitterbolt:splitter:end:ts" : "1529268179997",
"threat:triage:score" : 10.0,
"is_alert" : "true",
"adapter:stellaradapter:begin:ts" : "1529268179998",
"message" : "CMD: /bin/busybox XUSRH",
"input" : "/bin/busybox XUSRH",
"blacklisted" : true,
"system" : "CowrieTelnetTransport,93,94.51.110.74",
"threatintelsplitterbolt:splitter:begin:ts" : "1529268180004",
"guid" : "f4e441d2-74e7-4127-89c4-edcf8227f893",
"sensor" : "a927e8b28666",
"tlsh" : "87A002C029850AFE3C890231B18B743C002C10825E5028A6DC8D00C1F213FC6FD31D0C"
}
'
```
Go to the Alerts UI and enter this in the search:
```
is_alert:true AND similarity_bin:166524
```
You should see the alert in the UI.
---