[ https://issues.apache.org/jira/browse/METRON-403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew McKinney updated METRON-403: ----------------------------------- Labels: Bro Indexing newbie (was: Bro Indexing) > Bro elasticsearch bulk index item fails when DNS response includes CNAME > ------------------------------------------------------------------------ > > Key: METRON-403 > URL: https://issues.apache.org/jira/browse/METRON-403 > Project: Metron > Issue Type: Bug > Affects Versions: 0.2.2BETA > Environment: 7 node Ambari 2.2 managinf HDP 2.4 > 4 Metron nodes > Followed wiki "Metron Installation on an Ambari-Managed Cluster" > Reporter: Andrew McKinney > Priority: Minor > Labels: Bro, Indexing, newbie > > Querying CNAME records returns nested answers, e.g. fedora.aau.at. > {noformat} > ;; ANSWER SECTION: > fedora.aau.at. 239 IN CNAME www-rpm.aau.at. > www-rpm.aau.at. 149 IN A 143.205.180.155 > {noformat} > This seems to get past the BasicBroParser but when it it comes to indexing, > the bro es template expects type ip, not nested string/ip. > {noformat} > { > "TTLs":[ > 445.0, > 414.0 > ], > "bro_timestamp":"1.472812583319753E9", > "ip_dst_port":53, > "threatinteljoinbolt:joiner:ts":"1472812589689", > "rejected":false, > "answers":[ > "www-rpm.aau.at", > "143.205.180.155" > ], > "enrichmentsplitterbolt:splitter:begin:ts":"1472812589689", > "enrichmentjoinbolt:joiner:ts":"1472812589689", > "trans_id":802, > "adapter:geoadapter:begin:ts":"1472812589689", > "uid":"C6jPJB1uNqfcJmUPMd", > "protocol":"dns", > "source:type":"bro", > "adapter:threatinteladapter:end:ts":"1472812589689", > "original_string":"DNS | AA:false TTLs:[445.0,414.0] id.orig_p:47902 > rejected:false id.resp_p:53 query:fedora.aau.at > answers:[\"www-rpm.aau.at\",\"143.205.180.155\"] trans_id:802 rcode:0 > rcode_name:NOERROR TC:false RA:true uid:C6jPJB1uNqfcJmUPMd RD:false proto:udp > id.orig_h:10.150.194.160 Z:0 ts:1.472812583319753E9 id.resp_h:10.150.194.5", > "ip_dst_addr":"10.150.194.5", > "adapter:hostfromjsonlistadapter:end:ts":"1472812589689", > "Z":0, > "adapter:geoadapter:end:ts":"1472812589689", > "ip_src_addr":"10.150.194.160", > "threatintelsplitterbolt:splitter:end:ts":"1472812589689", > "timestamp":1472812583319, > "AA":false, > "enrichmentsplitterbolt:splitter:end:ts":"1472812589689", > "query":"fedora.aau.at", > "rcode":0, > "adapter:hostfromjsonlistadapter:begin:ts":"1472812589689", > "rcode_name":"NOERROR", > "TC":false, > "RA":true, > "RD":false, > "ip_src_port":47902, > "proto":"udp", > "threatintelsplitterbolt:splitter:begin:ts":"1472812589689", > "adapter:threatinteladapter:begin:ts":"1472812589689" > } > {noformat} > throws > {noformat} > nested:IllegalArgumentException[ > failed to parse ip [ > www-rpm.aau.at > ], > not a valid ip address > ]; > {noformat} > from bro_index.template > {noformat} > { > "answers": { > "type": "ip" > }, > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)