Neha Sinha created METRON-442:
---------------------------------

             Summary: Incorrect/Approximated threat triage level is set when 
the score is configured to some max value
                 Key: METRON-442
                 URL: https://issues.apache.org/jira/browse/METRON-442
             Project: Metron
          Issue Type: Bug
    Affects Versions: 0.2.2BETA
            Reporter: Neha Sinha


Hi,

I have specified the following threat config for snort sensor  :-

========================================================
"threatIntel" : {
    "triageConfig" : {
      "riskLevelRules" : {
        "not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24'))" : 9223372036854775807
      }
    }
  }
=======================================================

Expected threat.triage.level = 9223372036854775807
Actual threat.triage.level = 9223372036854776000

*Enrichments log*

=======================================================
2016-08-22 09:42:57.509 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found 
sensor enrichment config.
2016-08-22 09:42:57.510 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found 
threat triage config: 
ThreatTriageConfig{riskLevelRules={not(IN_SUBNET(ip_dst_addr, 
'192.168.0.0/24'))=9223372036854775807}, aggregator=MAX, aggregationConfig={}}
2016-08-22 09:42:57.510 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as 
triage level 9.223372036854776E18 with rules not(IN_SUBNET(ip_dst_addr, 
'192.168.0.0/24'))=9223372036854775807
2016-08-22 09:42:57.510 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 
tuples2016-08-22 09:42:57.509 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: 
Found sensor enrichment config.
2016-08-22 09:42:57.510 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found 
threat triage config: 
ThreatTriageConfig{riskLevelRules={not(IN_SUBNET(ip_dst_addr, 
'192.168.0.0/24'))=9223372036854775807}, aggregator=MAX, aggregationConfig={}}
2016-08-22 09:42:57.510 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as 
triage level 9.223372036854776E18 with rules not(IN_SUBNET(ip_dst_addr, 
'192.168.0.0/24'))=9223372036854775807
2016-08-22 09:42:57.510 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples
========================================================





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to