[
https://issues.apache.org/jira/browse/METRON-93?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15230108#comment-15230108
]
ASF GitHub Bot commented on METRON-93:
--------------------------------------
Github user dlyle65535 commented on a diff in the pull request:
https://github.com/apache/incubator-metron/pull/66#discussion_r58855860
--- Diff: deployment/roles/metron_streaming/tasks/main.yml ---
@@ -109,8 +111,10 @@
- { regexp: "bolt.hbase.table.name=", line: "bolt.hbase.table.name={{
pcap_hbase_table }}" }
- { regexp: "threat.intel.tracker.table=", line:
"threat.intel.tracker.table={{ tracker_hbase_table }}" }
- { regexp: "threat.intel.tracker.cf=", line:
"threat.intel.tracker.cf=t" }
- - { regexp: "threat.intel.ip.table=", line: "threat.intel.ip.table={{
threatintel_ip_hbase_table }}" }
- - { regexp: "threat.intel.ip.cf=", line: "threat.intel.ip.cf=t" }
+ - { regexp: "threat.intel.simple.hbase.table=", line:
"threat.intel.simple.hbase.table={{ threatintel_hbase_table }}" }
+ - { regexp: "threat.intel.simple.hbase.cf=", line:
"threat.intel.simple.hbase.cf=t" }
+ - { regexp: "enrichment.simple.hbase.table=", line:
"enrichment.simple.hbase.table={{ enrichment_hbase_table }}" }
+ - { regexp: "enrichment.simple.hbase.cf=", line:
"enrichment.simple.hbase.cf=t" }
- { regexp: "mysql.ip=", line: "mysql.ip={{ groups.mysql[0] }}" }
- { regexp: "mysql.password=", line: "mysql.password={{
mysql_root_password }}" }
- { regexp: "index.hdfs.output=", line: "index.hdfs.output={{
metron_hdfs_output_dir }}/enrichment/indexed" }
--- End diff --
Sorry for the late comment- I just noticed. Outside of being duplicate
files outside of the name, I think there needs to be a spout.kafka.topic.yaf
and spout.kafka.topic.snort in the above. Right now it defaults okay, but it
cannot be overridden.
> Generalize the HBase threat intel infrastructure to support enrichments
> -----------------------------------------------------------------------
>
> Key: METRON-93
> URL: https://issues.apache.org/jira/browse/METRON-93
> Project: Metron
> Issue Type: Improvement
> Reporter: Casey Stella
> Assignee: Casey Stella
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> As it stands, the threat intel infrastructure is awkward. Namely, different
> threat intelligence sources must be pushed into separate hbase tables
> (malicious_ips separate form malicious_hosts, for instance). We'd rather
> have one table where the type is brought into the rowkey. Since this
> infrastructure is generalized, also add a simple hbase enrichment adapter.
> Furthermore, the configuration for a new enrichment should be added to
> zookeeper as part of the data load.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
