[
https://issues.apache.org/jira/browse/METRON-984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16086470#comment-16086470
]
ASF GitHub Bot commented on METRON-984:
---------------------------------------
Github user ottobackwards commented on the issue:
https://github.com/apache/metron/pull/642
Ok @cestella , I used the Stellar management functions :
```bash
[Stellar]>>> bro_parser_config:= CONFIG_GET('PARSER','bro')
[Stellar]>>> PARSER_STELLAR_TRANSFORM_PRINT( bro_parser_config )
╔═══════╤════════════════╗
║ Field │ Transformation ║
╠═══════╧════════════════╣
║ (empty) ║
╚════════════════════════╝
[Stellar]>>> original_string:='foo'
[Stellar]>>> encoded_original:=ENCODE(original_string,'BASE64')
[Stellar]>>> SHELL_LIST_VARS(40)
╔═══════════════════╤═══════════════════════════════════════════════════════════════════╤══════════════════════════════════╗
║ VARIABLE │ VALUE
│ EXPRESSION ║
╠═══════════════════╪═══════════════════════════════════════════════════════════════════╪══════════════════════════════════╣
║ encoded_original │ Zm9v
│ ENCODE(original_string,'BASE64') ║
╟───────────────────┼───────────────────────────────────────────────────────────────────┼──────────────────────────────────╢
║ original_string │ foo
│ 'foo' ║
╟───────────────────┼───────────────────────────────────────────────────────────────────┼──────────────────────────────────╢
║ bro_parser_config │ {
│ CONFIG_GET('PARSER','bro') ║
║ │
│ ║
║ │
"parserClassName":"org.apache.metron.parsers.bro.BasicBroParser", │
║
║ │
│ ║
║ │ "sensorTopic":"bro",
│ ║
║ │ "parserConfig":
│ ║
║ │ {}
│ ║
║ │ }
│ ║
╚═══════════════════╧═══════════════════════════════════════════════════════════════════╧══════════════════════════════════╝
[Stellar]>>> bro_parser_config_new:= PARSER_STELLAR_TRANSFORM_ADD(
bro_parser_config , SHELL_VARS2MAP( 'encoded_original' ) )
[Stellar]>>> PARSER_STELLAR_TRANSFORM_PRINT( bro_parser_config_new )
╔══════════════════╤══════════════════════════════════╗
║ Field │ Transformation ║
╠══════════════════╪══════════════════════════════════╣
║ encoded_original │ ENCODE(original_string,'BASE64') ║
╚══════════════════╧══════════════════════════════════╝
[Stellar]>>> CONFIG_PUT('PARSER', bro_parser_config_new , 'bro' )
[Stellar]>>> PARSER_STELLAR_TRANSFORM_PRINT( CONFIG_GET('PARSER', 'bro' ))
╔══════════════════╤══════════════════════════════════╗
║ Field │ Transformation ║
╠══════════════════╪══════════════════════════════════╣
║ encoded_original │ ENCODE(original_string,'BASE64') ║
╚══════════════════╧══════════════════════════════════╝
[Stellar]>>>
```
and in kibana observed :
<img width="1144" alt="screen shot 2017-07-13 at 17 53 58"
src="https://user-images.githubusercontent.com/1111551/28189544-5bbd7914-67f4-11e7-953c-5dc08fe92c7d.png";>
> Create STELLAR Decoding Functions
> ---------------------------------
>
> Key: METRON-984
> URL: https://issues.apache.org/jira/browse/METRON-984
> Project: Metron
> Issue Type: Improvement
> Reporter: Jon Zeolla
> Assignee: Otto Fowler
>
> It is rather commonplace for malicious actors to obfuscate exploits or data
> transfers using encoding. In order to identify and prioritize responses to
> (or automatically mitigate) those attacks during threat triage we should have
> a method for decoding in Stellar. Some initial thoughts would be to handle
> percent/URL encoding, base64, base32, base16/hex, HTML encoding, etc.
> I would expect that something like DECODE(something, encoding_type,
> optional_failure_mode) would return the contents of field "something" after
> attempting to decode it via "encoding_type". If decoding fails,
> optional_failure_mode would indicate whether or not to fail the message and
> send it to the error topology, or to simply return the contents of the
> original field "something" (in this example).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
![https://user-images.githubusercontent.com/1111551/28189544-5bbd7914-67f4-11e7-953c-5dc08fe92c7d.png"](https://user-images.githubusercontent.com/1111551/28189544-5bbd7914-67f4-11e7-953c-5dc08fe92c7d.png"){kind=link}