You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Andrew McKinney (JIRA)" <ji...@apache.org> on 2016/09/02 11:10:21 UTC

[jira] [Created] (METRON-403) Bro elasticsearch bulk index item fails when DNS response includes CNAME

Andrew McKinney created METRON-403:
--------------------------------------

             Summary: Bro elasticsearch bulk index item fails when DNS response includes CNAME
                 Key: METRON-403
                 URL: https://issues.apache.org/jira/browse/METRON-403
             Project: Metron
          Issue Type: Bug
    Affects Versions: 0.2.2BETA
         Environment: 7 node Ambari 2.2 managinf HDP 2.4
4 Metron nodes
Followed wiki "Metron Installation on an Ambari-Managed Cluster"
            Reporter: Andrew McKinney
            Priority: Minor


Querying CNAME records returns nested answers, e.g. fedora.aau.at.

{noformat}
;; ANSWER SECTION:
fedora.aau.at.          239     IN      CNAME   www-rpm.aau.at.
www-rpm.aau.at.         149     IN      A       143.205.180.155
{noformat}

This seems to get past the BasicBroParser but when it it comes to indexing, the bro es template expects type ip, not nested string/ip.

{noformat}
 {  
         "TTLs":[  
            445.0,
            414.0
         ],
         "bro_timestamp":"1.472812583319753E9",
         "ip_dst_port":53,
         "threatinteljoinbolt:joiner:ts":"1472812589689",
         "rejected":false,
         "answers":[  
            "www-rpm.aau.at",
            "143.205.180.155"
         ],
         "enrichmentsplitterbolt:splitter:begin:ts":"1472812589689",
         "enrichmentjoinbolt:joiner:ts":"1472812589689",
         "trans_id":802,
         "adapter:geoadapter:begin:ts":"1472812589689",
         "uid":"C6jPJB1uNqfcJmUPMd",
         "protocol":"dns",
         "source:type":"bro",
         "adapter:threatinteladapter:end:ts":"1472812589689",
         "original_string":"DNS | AA:false TTLs:[445.0,414.0] id.orig_p:47902 rejected:false id.resp_p:53 query:fedora.aau.at answers:[\"www-rpm.aau.at\",\"143.205.180.155\"] trans_id:802 rcode:0 rcode_name:NOERROR TC:false RA:true uid:C6jPJB1uNqfcJmUPMd RD:false proto:udp id.orig_h:10.150.194.160 Z:0 ts:1.472812583319753E9 id.resp_h:10.150.194.5",
         "ip_dst_addr":"10.150.194.5",
         "adapter:hostfromjsonlistadapter:end:ts":"1472812589689",
         "Z":0,
         "adapter:geoadapter:end:ts":"1472812589689",
         "ip_src_addr":"10.150.194.160",
         "threatintelsplitterbolt:splitter:end:ts":"1472812589689",
         "timestamp":1472812583319,
         "AA":false,
         "enrichmentsplitterbolt:splitter:end:ts":"1472812589689",
         "query":"fedora.aau.at",
         "rcode":0,
         "adapter:hostfromjsonlistadapter:begin:ts":"1472812589689",
         "rcode_name":"NOERROR",
         "TC":false,
         "RA":true,
         "RD":false,
         "ip_src_port":47902,
         "proto":"udp",
         "threatintelsplitterbolt:splitter:begin:ts":"1472812589689",
         "adapter:threatinteladapter:begin:ts":"1472812589689"
      }
{noformat}

throws

{noformat}
nested:IllegalArgumentException[  
   failed to parse ip   [  
      www-rpm.aau.at
   ],
   not a valid ip address
];

{noformat}

from bro_index.template

{noformat}
{
   "answers": {
          "type": "ip"
        },
{noformat}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)