You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/09/19 16:00:00 UTC
[jira] [Commented] (METRON-1195) Meta alerts improperly handle
updates to non nested alert field
[ https://issues.apache.org/jira/browse/METRON-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16171944#comment-16171944 ]
ASF GitHub Bot commented on METRON-1195:
----------------------------------------
GitHub user justinleet opened a pull request:
https://github.com/apache/metron/pull/766
METRON-1195: Meta alerts improperly handle updates to non nested alert field
## Contributor Comments
Fix to only calculate scores in the event that we've done something that actually involves scores.
### Testing
* Create a metaalert as described here: https://github.com/apache/metron/pull/734#issuecomment-327590792
* Once one is created, retrieve it from ES:
```
curl 'node1:9200/m*/_search?pretty'
```
* Issue an update from the Swagger UI, replacing the guid with the one retrieved in the last step
```
{
"guid": "<GUID>",
"index": "metaalerts",
"patch": [{
"op": "replace"
, "path": "/status"
, "value": "inactive"
}],
"sensorType": "metaalert",
"source": {}
}
```
* Issue an update to the meta field itself
```
{
"guid": "<GUID>",
"sensorType": "metaalert",
"index": "metaalerts",
"patch": [{
"op": "replace"
, "path": "alert"
, "value": [
{
"msg": "snort test alert",
"threat:triage:rules:0:reason": null,
"ip_dst_port": "8080",
"ethsrc": "0A:00:27:00:00:00",
"threat:triage:score": 10,
"is_alert": "true",
"protocol": "TCP",
"source:type": "snort",
"ip_dst_addr": "192.168.66.121",
"ip_src_port": "50187",
"guid": "snort_test_1",
"ip_src_addr": "192.168.66.1",
"threat:triage:rules:0:score": 10,
"timestamp": 1504708744000
}]
}],
"source": {}
}
```
* Retrieve the meta alert again:
```
curl 'node1:9200/m*/_search?pretty'
```
* Ensure the count field is updated as in this example output:
```
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"failed" : 0
},
"hits" : {
"total" : 1,
"max_score" : 1.0,
"hits" : [ {
"_index" : "metaalerts",
"_type" : "metaalert_doc",
"_id" : "61b028bc-e253-49db-a27b-9f9df23af40b",
"_score" : 1.0,
"_timestamp" : 1505836578879,
"_source" : {
"average" : 10.0,
"min" : 10.0,
"median" : 10.0,
"alert" : [ {
"msg" : "snort test alert",
"threat:triage:rules:0:reason" : null,
"ip_dst_port" : "8080",
"ethsrc" : "0A:00:27:00:00:00",
"threat:triage:score" : 10,
"is_alert" : "true",
"protocol" : "TCP",
"source:type" : "snort",
"ip_dst_addr" : "192.168.66.121",
"ip_src_port" : "50187",
"guid" : "snort_test_1",
"ip_src_addr" : "192.168.66.1",
"threat:triage:rules:0:score" : 10,
"timestamp" : 1504708744000
} ],
"max" : 10.0,
"threat:triage:score" : 10.0,
"count" : 1,
"guid" : "61b028bc-e253-49db-a27b-9f9df23af40b",
"groups" : [ "group_one", "group_two" ],
"sum" : 10.0,
"timestamp" : 1505828688919,
"status" : "inactive"
}
} ]
}
}
```
## Pull Request Checklist
Thank you for submitting a contribution to Apache Metron.
Please refer to our [Development Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235) for the complete guide to follow for contributions.
Please refer also to our [Build Verification Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview) for complete smoke testing guides.
In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [x] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target branch (typically master)?
### For code changes:
- [x] Have you included steps to reproduce the behavior or problem that is being changed or addressed?
- [x] Have you included steps or a guide to how the change may be verified and tested manually?
- [ ] Have you ensured that the full suite of tests and checks have been executed in the root metron folder via:
```
mvn -q clean integration-test install && build_utils/verify_licenses.sh
```
- [x] Have you written or updated unit tests and or integration tests to verify your changes?
- [x] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [x] Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?
### For documentation related changes:
- [x] Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via `site-book/target/site/index.html`:
```
cd site-book
mvn site
```
#### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommended that [travis-ci](https://travis-ci.org) is set up for your personal repository such that your branches are built there before submitting a pull request.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/justinleet/metron meta_updates
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/metron/pull/766.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #766
----
commit 0065fc2d5b7685f46cec7d1597dbd04eb298068c
Author: justinjleet <ju...@gmail.com>
Date: 2017-09-19T15:46:34Z
Handling updates that don't involve alerts field properly
----
> Meta alerts improperly handle updates to non nested alert field
> ---------------------------------------------------------------
>
> Key: METRON-1195
> URL: https://issues.apache.org/jira/browse/METRON-1195
> Project: Metron
> Issue Type: Bug
> Reporter: Justin Leet
> Assignee: Justin Leet
>
> Meta alerts attempt to recalculate scores on updates (e.g. via the patch REST API), even though the alerts field isn't available for recalculation.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)