[jira] [Commented] (METRON-1289) Alert fields are lost when a MetaAlert is created

Wed, 15 Nov 2017 10:48:58 -0800 

    [ 
https://issues.apache.org/jira/browse/METRON-1289?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16253938#comment-16253938
 ] 

ASF GitHub Bot commented on METRON-1289:
----------------------------------------

Github user justinleet commented on the issue:

    https://github.com/apache/metron/pull/824
  
    ## Changing Metaalert status
    
    ### Find two alerts
    ```
    /api/v1/search/search
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "fields": [
        "guid"
      ],
      "from": 0,
      "indices": [
        "snort"
      ],
      "query": "ip_dst_addr:192.168.66.121",
      "size": 2
    }' 'http://node1:8082/api/v1/search/search'
    ```
    Results in two guids:
    
    ```
    8b8314d4-277b-44dc-a75b-04b0cdcedb40
    4ac26cf7-ab93-4940-9a0e-8e7f4d67736d
    ```
    
    ### Create a metaalert with the alerts
    ```
    /api/v1/metaalert/create
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "alerts": [
        {
          "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
          "index": "snort_index_2017.11.15.17",
          "sensorType": "snort"
        },
         {
          "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
          "index": "snort_index_2017.11.15.17",
          "sensorType": "snort"
        }
    
      ],
      "groups": [
        "test"
      ]
    }' 'http://node1:8082/api/v1/metaalert/create'
    
    ```
    
    Make sure to get the resulting guid from the response.
    ```
    da60ccc9-9e79-45c5-be07-0a322c8791f0
    ```
    
    ### Retrieve the meta alert and ensure it contains the provided alerts
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0",
      "index": "metaalert_index",
      "sensorType": "metaalert"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Change the meta alert status to active
    This makes sure nothing happens when we set active status to the same 
active status.
    ```
    /api/v1/metaalert/update/status/{guid}/{status}
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' 
'http://node1:8082/api/v1/metaalert/update/status/da60ccc9-9e79-45c5-be07-0a322c8791f0/active'
    ```
    
    It should return false, as no status has changed.
    
    ### Retrieve the metaalert and ensure it is still active
    Look for the 'status' field.
    
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0",
      "index": "metaalert_index",
      "sensorType": "metaalert"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Retrieve the child alerts
    Ensure both alerts have the 'metaalerts' field populated with the parent 
meta alert.
    
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
      "sensorType": "snort"
    }' 'http://node1:8082/api/v1/search/findOne'
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
      "sensorType": "snort"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Change the meta alert status to inactive
    Look for the 'status' field.  Running this once will set it to 'inactive'.  
Subsequent runs have no effect ('inactive' -> 'inactive' does nothing).
    ```
    /api/v1/metaalert/update/status/{guid}/{status}
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' 
'http://node1:8082/api/v1/metaalert/update/status/da60ccc9-9e79-45c5-be07-0a322c8791f0/inactive'
    ```
    
    It should return true, because the status has changed.
    
    ### Retrieve the metaalert and ensure it is inactive
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0",
      "index": "metaalert_index",
      "sensorType": "metaalert"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Retrieve the child alerts
    Ensure neither alert has the 'metaalerts' field populated with the parent 
meta alert.
    
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
      "sensorType": "snort"
    }' 'http://node1:8082/api/v1/search/findOne'
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
      "sensorType": "snort"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Change status back to active
    ```
    /api/v1/metaalert/update/status/{guid}/{status}
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' 
'http://node1:8082/api/v1/metaalert/update/status/da60ccc9-9e79-45c5-be07-0a322c8791f0/active'
    ```
    
    It should return false, as no status has changed.
    
    ### Retrieve the metaalert and ensure it is active again
    Look for the 'status' field.
    
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0",
      "index": "metaalert_index",
      "sensorType": "metaalert"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Retrieve the child alerts
    Ensure both alerts have the 'metaalerts' field populated with the parent 
meta alert.
    
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
      "sensorType": "snort"
    }' 'http://node1:8082/api/v1/search/findOne'
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
      "sensorType": "snort"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```


> Alert fields are lost when a MetaAlert is created
> -------------------------------------------------
>
>                 Key: METRON-1289
>                 URL: https://issues.apache.org/jira/browse/METRON-1289
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Ryan Merriman
>            Assignee: Ryan Merriman
>
> When a MetaAlert is created, the included results are being updated 
> incorrectly with only the "metaalert" field.  This causes subsequent findOne 
> operations to only return the "metaalert field for that alert.  All fields 
> should continue to be present.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to