You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Andrew McKinney (JIRA)" <ji...@apache.org> on 2016/09/02 11:10:21 UTC
[jira] [Created] (METRON-403) Bro elasticsearch bulk index item
fails when DNS response includes CNAME
Andrew McKinney created METRON-403:
--------------------------------------
Summary: Bro elasticsearch bulk index item fails when DNS response includes CNAME
Key: METRON-403
URL: https://issues.apache.org/jira/browse/METRON-403
Project: Metron
Issue Type: Bug
Affects Versions: 0.2.2BETA
Environment: 7 node Ambari 2.2 managinf HDP 2.4
4 Metron nodes
Followed wiki "Metron Installation on an Ambari-Managed Cluster"
Reporter: Andrew McKinney
Priority: Minor
Querying CNAME records returns nested answers, e.g. fedora.aau.at.
{noformat}
;; ANSWER SECTION:
fedora.aau.at. 239 IN CNAME www-rpm.aau.at.
www-rpm.aau.at. 149 IN A 143.205.180.155
{noformat}
This seems to get past the BasicBroParser but when it it comes to indexing, the bro es template expects type ip, not nested string/ip.
{noformat}
{
"TTLs":[
445.0,
414.0
],
"bro_timestamp":"1.472812583319753E9",
"ip_dst_port":53,
"threatinteljoinbolt:joiner:ts":"1472812589689",
"rejected":false,
"answers":[
"www-rpm.aau.at",
"143.205.180.155"
],
"enrichmentsplitterbolt:splitter:begin:ts":"1472812589689",
"enrichmentjoinbolt:joiner:ts":"1472812589689",
"trans_id":802,
"adapter:geoadapter:begin:ts":"1472812589689",
"uid":"C6jPJB1uNqfcJmUPMd",
"protocol":"dns",
"source:type":"bro",
"adapter:threatinteladapter:end:ts":"1472812589689",
"original_string":"DNS | AA:false TTLs:[445.0,414.0] id.orig_p:47902 rejected:false id.resp_p:53 query:fedora.aau.at answers:[\"www-rpm.aau.at\",\"143.205.180.155\"] trans_id:802 rcode:0 rcode_name:NOERROR TC:false RA:true uid:C6jPJB1uNqfcJmUPMd RD:false proto:udp id.orig_h:10.150.194.160 Z:0 ts:1.472812583319753E9 id.resp_h:10.150.194.5",
"ip_dst_addr":"10.150.194.5",
"adapter:hostfromjsonlistadapter:end:ts":"1472812589689",
"Z":0,
"adapter:geoadapter:end:ts":"1472812589689",
"ip_src_addr":"10.150.194.160",
"threatintelsplitterbolt:splitter:end:ts":"1472812589689",
"timestamp":1472812583319,
"AA":false,
"enrichmentsplitterbolt:splitter:end:ts":"1472812589689",
"query":"fedora.aau.at",
"rcode":0,
"adapter:hostfromjsonlistadapter:begin:ts":"1472812589689",
"rcode_name":"NOERROR",
"TC":false,
"RA":true,
"RD":false,
"ip_src_port":47902,
"proto":"udp",
"threatintelsplitterbolt:splitter:begin:ts":"1472812589689",
"adapter:threatinteladapter:begin:ts":"1472812589689"
}
{noformat}
throws
{noformat}
nested:IllegalArgumentException[
failed to parse ip [
www-rpm.aau.at
],
not a valid ip address
];
{noformat}
from bro_index.template
{noformat}
{
"answers": {
"type": "ip"
},
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)