[jira] [Created] (METRON-425) Stellar transformation fails to handle special characters

Fri, 16 Sep 2016 05:03:08 -0700 

Neha Sinha created METRON-425:
---------------------------------

             Summary: Stellar transformation fails to handle special characters
                 Key: METRON-425
                 URL: https://issues.apache.org/jira/browse/METRON-425
             Project: Metron
          Issue Type: Bug
            Reporter: Neha Sinha


I updated the snort parser file to have the following stellar transformation :-


PARSER Config: snort
{
  "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser",
  "sensorTopic":"snort",
  "parserConfig": {},
"fieldTransformations" : [
{
"transformation" : "STELLAR"
,"output" : [ "is_alert","newStellarField","isAlert"]
,"config" :
{ "is_alert" : "false",
"isAlert" : "false",
"newStellarField" : "<<??>>" }
}
]
}


I get the following exception/error for the snort logs :-


2016-09-13 11:30:32.765 o.a.m.p.BasicParser [TRACE] [Metron] Message conforms 
to schema: {"msg":"\"'snort test 
alert'\"","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0x5869E532","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xFA02","icmpseq":"","tcpack":"0x3E05E218","protocol":"TCP","ip_dst_addr":"72.34.49.86","original_string":"09\/13-11:30:25.703857
 ,1,999158,0,\"'snort test 
alert'\",TCP,192.168.138.158,49204,72.34.49.86,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0x5869E532,0x3E05E218,,0xFA02,128,0,2508,40,40960,,,,","icmpcode":"","tos":"0","id":"2508","ip_src_addr":"192.168.138.158","timestamp":1473766928857,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49204","tcpflags":"***A****","sig_id":"999158","sig_generator":"1"}
2016-09-13 11:30:32.766 b.s.d.executor [ERROR] 
org.apache.metron.common.dsl.ParseException: Syntax error @ 1:0 no viable 
alternative at input '<'
        at 
org.apache.metron.common.dsl.ErrorListener.syntaxError(ErrorListener.java:34) 
~[stormjar.jar:?]
        at 
org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65) 
~[stormjar.jar:?]
        at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:558) 
~[stormjar.jar:?]
        at 
org.antlr.v4.runtime.DefaultErrorStrategy.reportNoViableAlternative(DefaultErrorStrategy.java:310)
 ~[stormjar.jar:?]
        at 
org.antlr.v4.runtime.DefaultErrorStrategy.reportError(DefaultErrorStrategy.java:147)
 ~[stormjar.jar:?]
        at 
org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:300)
 ~[stormjar.jar:?]
        at 
org.apache.metron.common.stellar.generated.StellarParser.transformation(StellarParser.java:146)
 ~[stormjar.jar:?]
        at 
org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:92)
 ~[stormjar.jar:?]
        at 
org.apache.metron.common.field.transformation.StellarTransformation.map(StellarTransformation.java:46)
 ~[stormjar.jar:?]
        at 
org.apache.metron.common.configuration.FieldTransformer.transform(FieldTransformer.java:111)
 ~[stormjar.jar:?]
        at 
org.apache.metron.common.configuration.FieldTransformer.transformAndUpdate(FieldTransformer.java:123)
 ~[stormjar.jar:?]
        at 
org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:125) 
[stormjar.jar:?]
        at 
backtype.storm.daemon.executor$fn__5492$tuple_action_fn__5494.invoke(executor.clj:684)
 [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
        at 
backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431)
 [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
        at 
backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58) 
[storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
        at 
backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125)
 [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
        at 
backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99)
 [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
        at 
backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80) 
[storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
        at 
backtype.storm.daemon.executor$fn__5492$fn__5505$fn__5556.invoke(executor.clj:813)
 [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
        at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479) 
[storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
        at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
Caused by: org.antlr.v4.runtime.NoViableAltException
        at 
org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894)
 ~[stormjar.jar:?]
        at 
org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498)
 ~[stormjar.jar:?]
        at 
org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424)
 ~[stormjar.jar:?]
        at 
org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:251)
 ~[stormjar.jar:?]
        ... 16 more







--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to