Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/970
I have run the following set of manual tests against the REST UI.
Do the following to setup Solr after ssh'ing into full dev
```
sudo su -
export METRON_HOME=/usr/metron/0.4.3/
cd ${METRON_HOME}/bin/
./start_solr.sh
./install_solr.sh
./create_collection.sh bro
./create_collection.sh yah
./create_collection.sh snort
./create_collection.sh error
./create_collection.sh metaalert
```
In Ambari:
Indexing -> Random Access Search Engine -> Solr
# Meta Alerts Test
## Adding alerts and adding a preexisting alert
### Find two alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"fields": [
"guid"
],
"from": 0,
"indices": [
"snort"
],
"query": "ip_dst_addr:192.168.66.121",
"size": 2
}' 'http://node1:8082/api/v1/search/search'
```
Results in two guids:
{"total":256,"results":[{"id":"e4e35dff-b160-4c21-bb48-251ff873d7c6","source":{"guid":"e4e35dff-b160-4c21-bb48-251ff873d7c6"},"score":0.0,"index":null},{"id":"5dde3195-4076-4dea-89b6-c65c88b1357e","source":{"guid":"5dde3195-4076-4dea-89b6-c65c88b1357e"},"score":0.0,"index":null}],"facetCounts":null}
```
e4e35dff-b160-4c21-bb48-251ff873d7c6
5dde3195-4076-4dea-89b6-c65c88b1357e
```
### Create a metaalert with only one of the alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"alerts": [
{
"guid": "e4e35dff-b160-4c21-bb48-251ff873d7c6",
"index": "snort",
"sensorType": "snort"
}
],
"groups": [
"test"
]
}' 'http://node1:8082/api/v1/metaalert/create'
```
Make sure to get the resulting guid from the response.
```
15354a7e-0a17-4b1d-b64e-25bc465b27a9
```
### Retrieve the meta alert and ensure it contains the provided alert
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9",
"index": "metaalert",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alert and ensure the 'metaalerts' field contains the
new GUID of the new metaalert
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"e4e35dff-b160-4c21-bb48-251ff873d7c6",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Add the same alert to the meta alert
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"alerts": [
{
"guid": "e4e35dff-b160-4c21-bb48-251ff873d7c6",
"index": "snort",
"sensorType": "snort"
}
],
"metaAlertGuid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9"
}' 'http://node1:8082/api/v1/metaalert/add/alert'
```
It should return "false" as no alerts have been added. The meta alert
should be retrieved again to validate.
### Run the add alert again but with the second alert
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"alerts": [
{
"guid": "e4e35dff-b160-4c21-bb48-251ff873d7c6",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid":"5dde3195-4076-4dea-89b6-c65c88b1357e",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
}
],
"metaAlertGuid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9"
}' 'http://node1:8082/api/v1/metaalert/add/alert'
```
It should return true, because the second alert will be added. The meta
alert should be retrieved again to validate.
### Retrieve the child alerts
Ensure they have the 'metaalerts' field populated with their parent.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"e4e35dff-b160-4c21-bb48-251ff873d7c6",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"5dde3195-4076-4dea-89b6-c65c88b1357e",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
## Removing alerts and removing an already removed alert
### Find two alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"fields": [
"guid"
],
"from": 0,
"indices": [
"snort"
],
"query": "ip_dst_addr:192.168.66.121",
"size": 2
}' 'http://node1:8082/api/v1/search/search'
```
Results in two guids:
```
e4e35dff-b160-4c21-bb48-251ff873d7c6
5dde3195-4076-4dea-89b6-c65c88b1357e
```
### Create a metaalert with the alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"alerts": [
{
"guid": "e4e35dff-b160-4c21-bb48-251ff873d7c6",
"index": "snort",
"sensorType": "snort"
},
{
"guid":"5dde3195-4076-4dea-89b6-c65c88b1357e",
"index": "snort",
"sensorType": "snort"
}
],
"groups": [
"test"
]
}' 'http://node1:8082/api/v1/metaalert/create'
```
Make sure to get the resulting guid from the response.
```
15354a7e-0a17-4b1d-b64e-25bc465b27a9
```
### Retrieve the meta alert and ensure it contains the provided alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9",
"index": "metaalert",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Remove one of the alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"alerts": [
{
"guid": "e4e35dff-b160-4c21-bb48-251ff873d7c6",
"index": "snort",
"sensorType": "snort"
}
],
"metaAlertGuid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9"
}' 'http://node1:8082/api/v1/metaalert/remove/alert'
```
### Retrieve the meta alert again, and ensure it only contains the second
alert.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Rerun the delete
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"alerts": [
{
"guid": "e4e35dff-b160-4c21-bb48-251ff873d7c6",
"index": "snort",
"sensorType": "snort"
}
],
"metaAlertGuid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9"
}' 'http://node1:8082/api/v1/metaalert/remove/alert'
```
### Retrieve the meta alert again, and ensure it only contains the second
alert.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure only the second alert has the 'metaalerts' field populated with the
parent met alert.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"e4e35dff-b160-4c21-bb48-251ff873d7c6",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"5dde3195-4076-4dea-89b6-c65c88b1357e",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
## Changing Metaalert status
### Find two alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"fields": [
"guid"
],
"from": 0,
"indices": [
"snort"
],
"query": "ip_dst_addr:192.168.66.121",
"size": 2
}' 'http://node1:8082/api/v1/search/search'
```
Results in two guids:
```
e4e35dff-b160-4c21-bb48-251ff873d7c6
5dde3195-4076-4dea-89b6-c65c88b1357e
```
### Create a metaalert with the alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"alerts": [
{
"guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"index": "snort",
"sensorType": "snort"
},
{
"guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
"index": "snort",
"sensorType": "snort"
}
],
"groups": [
"test"
]
}' 'http://node1:8082/api/v1/metaalert/create'
```
Make sure to get the resulting guid from the response.
```
15354a7e-0a17-4b1d-b64e-25bc465b27a9
```
### Retrieve the meta alert and ensure it contains the provided alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9",
"index": "metaalert",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Change the meta alert status to active
This makes sure nothing happens when we set active status to the same
active status.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json'
'http://node1:8082/api/v1/metaalert/update/status/15354a7e-0a17-4b1d-b64e-25bc465b27a9/active'
```
It should return false, as no status has changed.
### Retrieve the metaalert and ensure it is still active
Look for the 'status' field.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9",
"index": "metaalert",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure both alerts have the 'metaalerts' field populated with the parent
meta alert.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"e4e35dff-b160-4c21-bb48-251ff873d7c6",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"5dde3195-4076-4dea-89b6-c65c88b1357e",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Change the meta alert status to inactive
Look for the 'status' field. Running this once will set it to 'inactive'.
Subsequent runs have no effect ('inactive' -> 'inactive' does nothing).
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json'
'http://node1:8082/api/v1/metaalert/update/status/15354a7e-0a17-4b1d-b64e-25bc465b27a9/inactive'
```
It should return true, because the status has changed.
### Retrieve the metaalert and ensure it is inactive
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9",
"index": "metaalert",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure neither alert has the 'metaalerts' field populated with the parent
meta alert.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"e4e35dff-b160-4c21-bb48-251ff873d7c6",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"5dde3195-4076-4dea-89b6-c65c88b1357e",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Change status back to active
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json'
'http://node1:8082/api/v1/metaalert/update/status/15354a7e-0a17-4b1d-b64e-25bc465b27a9/active'
```
It should return true, as the status has changed.
### Retrieve the metaalert and ensure it is active again
Look for the 'status' field.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "15354a7e-0a17-4b1d-b64e-25bc465b27a9",
"index": "metaalert",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure both alerts have the 'metaalerts' field populated with the parent
meta alert.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"e4e35dff-b160-4c21-bb48-251ff873d7c6",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"5dde3195-4076-4dea-89b6-c65c88b1357e",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
## Create meta alert with more than 10 alerts
### Find more than 10 alerts alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"fields": [
"guid"
],
"from": 0,
"indices": [
"snort"
],
"query": "ip_dst_addr:192.168.66.121",
"size": 11
}' 'http://node1:8082/api/v1/search/search'
```
Note the alerts that come back
```
02468e00-3183-413d-85f0-959f77279f10
e9ef65d4-f896-42bf-b4a1-c30785e9124b
c4c114f1-f7c2-48ef-87a3-3a843baf6e4c
d6cd9342-5638-4e5a-8ab6-1cc0a982455f
882ce84d-770e-432a-8999-cc3f4a9cc08e
20fc092e-e48a-4468-a581-fee1903da66a
ac611b4f-0271-4cb2-b8d4-a64d2221929b
80002446-2cb8-4998-85d3-653a79fc0f6f
9ccf7a96-2340-4dac-9d5d-e983f4a35c38
6decf7bd-f5fc-4e03-9560-819d64048cff
7b099a2c-0740-4d02-a567-bcb8e00b8e31
```
### Create a metaalert with the alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"alerts": [
{
"guid": "02468e00-3183-413d-85f0-959f77279f10",
"index": "snort",
"sensorType": "snort"
},
{
"guid":"e9ef65d4-f896-42bf-b4a1-c30785e9124b",
"index": "snort",
"sensorType": "snort"
},
{
"guid": "c4c114f1-f7c2-48ef-87a3-3a843baf6e4c",
"index": "snort",
"sensorType": "snort"
},
{
"guid": "d6cd9342-5638-4e5a-8ab6-1cc0a982455f",
"index": "snort",
"sensorType": "snort"
},
{
"guid":"882ce84d-770e-432a-8999-cc3f4a9cc08e",
"index": "snort",
"sensorType": "snort"
},
{
"guid": "20fc092e-e48a-4468-a581-fee1903da66a",
"index": "snort",
"sensorType": "snort"
},
{
"guid":"ac611b4f-0271-4cb2-b8d4-a64d2221929b",
"index": "snort",
"sensorType": "snort"
},
{
"guid": "80002446-2cb8-4998-85d3-653a79fc0f6f",
"index": "snort",
"sensorType": "snort"
},
{
"guid": "9ccf7a96-2340-4dac-9d5d-e983f4a35c38",
"index": "snort",
"sensorType": "snort"
},
{
"guid":"6decf7bd-f5fc-4e03-9560-819d64048cff",
"index": "snort",
"sensorType": "snort"
},
{
"guid":"7b099a2c-0740-4d02-a567-bcb8e00b8e31",
"index": "snort",
"sensorType": "snort"
}
],
"groups": [
"test"
]
}' 'http://node1:8082/api/v1/metaalert/create'
```
Make sure to get the resulting guid from the response.
```
4c772ffd-8f1d-4528-885e-a528fd085673
```
### Retrieve the meta alert and ensure it contains the provided alerts
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "4c772ffd-8f1d-4528-885e-a528fd085673",
"index": "metaalert",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure all alerts have the 'metaalerts' field populated with the parent
meta alert.
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid":"02468e00-3183-413d-85f0-959f77279f10",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
... // 10 more times
```
## Patch alert and status
Create a metaalerts and get the GUID for the following steps.
### Attempt to update status field
```
curl -u user:password -X PATCH --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "4c772ffd-8f1d-4528-885e-a528fd085673",
"index": "metaalert",
"patch": [
{
"op": "replace"
, "path": "/status"
, "value": "failure"
}
],
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/update/patch'
```
Should return
```
{
"responseCode": 500,
"message": "Meta alert patches are not allowed for /alert or /status
paths. Please use the add/remove alert or update status functions instead.",
"fullMessage": "IllegalArgumentException: Meta alert patches are not
allowed for /alert or /status paths. Please use the add/remove alert or update
status functions instead."
}
```
### Attempt to update the alert list
```
curl -u user:password -X PATCH --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "4c772ffd-8f1d-4528-885e-a528fd085673",
"index": "metaalert",
"patch": [
{
"op": "replace"
, "path": "/alert"
, "value": [{
"alertOne":"test"
},
{
"alertTwo":"test"
}
]
}
],
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/update/patch'
```
Should return
```
{
"responseCode": 500,
"message": "Meta alert patches are not allowed for /alert or /status
paths. Please use the add/remove alert or update status functions instead.",
"fullMessage": "IllegalArgumentException: Meta alert patches are not
allowed for /alert or /status paths. Please use the add/remove alert or update
status functions instead."
}
```
## Patch neither alert and status
Create a metaalerts and get the GUID for the following steps.
### Patch in new field
```
curl -u user:password -X PATCH --header 'Content-Type: application/json'
--header 'Accept: */*' -d '{
"guid": "4c772ffd-8f1d-4528-885e-a528fd085673",
"index": "metaalert",
"patch": [
{
"op": "add"
, "path": "/name"
, "value": "My new meta alert name"
}
],
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/update/patch'
```
### Retrieve the meta alert and ensure it contains the new 'name' field
```
curl -u user:password -X POST --header 'Content-Type: application/json'
--header 'Accept: application/json' -d '{
"guid": "4c772ffd-8f1d-4528-885e-a528fd085673",
"index": "metaalert",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
---
