[
https://issues.apache.org/jira/browse/METRON-425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15553473#comment-15553473
]
ASF GitHub Bot commented on METRON-425:
---------------------------------------
Github user justinleet commented on the issue:
https://github.com/apache/incubator-metron/pull/299
Good catch. I've been looking at this, and ended up looking into red
herring. A further note on top of this is that (unsurprisingly in light of the
cause) other reserved keywords tend to cause problems. Somewhat
inconsistently, too. E.g.
`"newStellarField" : "not"` fails, but
`"newStellarField" : "false"` does not.
I'd have to dig into it more, but I assume it's because not and the other
comparison operators in the grammar expect to be followed by more things, and
don't end up being string here.
I'm open to suggestions on what the appropriate behavior is, but I really
don't like that it's inconsistent on what gets rejected.
> Stellar transformation fails to handle special characters
> ---------------------------------------------------------
>
> Key: METRON-425
> URL: https://issues.apache.org/jira/browse/METRON-425
> Project: Metron
> Issue Type: Bug
> Reporter: Neha Sinha
> Assignee: Justin Leet
>
> I updated the snort parser file to have the following stellar transformation
> :-
> PARSER Config: snort
> {
> "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser",
> "sensorTopic":"snort",
> "parserConfig": {},
> "fieldTransformations" : [
> {
> "transformation" : "STELLAR"
> ,"output" : [ "is_alert","newStellarField","isAlert"]
> ,"config" :
> { "is_alert" : "false",
> "isAlert" : "false",
> "newStellarField" : "<<??>>" }
> }
> ]
> }
> I get the following exception/error for the snort logs :-
> 2016-09-13 11:30:32.765 o.a.m.p.BasicParser [TRACE] [Metron] Message conforms
> to schema: {"msg":"\"'snort test
> alert'\"","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0x5869E532","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xFA02","icmpseq":"","tcpack":"0x3E05E218","protocol":"TCP","ip_dst_addr":"72.34.49.86","original_string":"09\/13-11:30:25.703857
> ,1,999158,0,\"'snort test
> alert'\",TCP,192.168.138.158,49204,72.34.49.86,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0x5869E532,0x3E05E218,,0xFA02,128,0,2508,40,40960,,,,","icmpcode":"","tos":"0","id":"2508","ip_src_addr":"192.168.138.158","timestamp":1473766928857,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49204","tcpflags":"***A****","sig_id":"999158","sig_generator":"1"}
> 2016-09-13 11:30:32.766 b.s.d.executor [ERROR]
> org.apache.metron.common.dsl.ParseException: Syntax error @ 1:0 no viable
> alternative at input '<'
> at
> org.apache.metron.common.dsl.ErrorListener.syntaxError(ErrorListener.java:34)
> ~[stormjar.jar:?]
> at
> org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65)
> ~[stormjar.jar:?]
> at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:558)
> ~[stormjar.jar:?]
> at
> org.antlr.v4.runtime.DefaultErrorStrategy.reportNoViableAlternative(DefaultErrorStrategy.java:310)
> ~[stormjar.jar:?]
> at
> org.antlr.v4.runtime.DefaultErrorStrategy.reportError(DefaultErrorStrategy.java:147)
> ~[stormjar.jar:?]
> at
> org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:300)
> ~[stormjar.jar:?]
> at
> org.apache.metron.common.stellar.generated.StellarParser.transformation(StellarParser.java:146)
> ~[stormjar.jar:?]
> at
> org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:92)
> ~[stormjar.jar:?]
> at
> org.apache.metron.common.field.transformation.StellarTransformation.map(StellarTransformation.java:46)
> ~[stormjar.jar:?]
> at
> org.apache.metron.common.configuration.FieldTransformer.transform(FieldTransformer.java:111)
> ~[stormjar.jar:?]
> at
> org.apache.metron.common.configuration.FieldTransformer.transformAndUpdate(FieldTransformer.java:123)
> ~[stormjar.jar:?]
> at
> org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:125)
> [stormjar.jar:?]
> at
> backtype.storm.daemon.executor$fn__5492$tuple_action_fn__5494.invoke(executor.clj:684)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.daemon.executor$fn__5492$fn__5505$fn__5556.invoke(executor.clj:813)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
> Caused by: org.antlr.v4.runtime.NoViableAltException
> at
> org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894)
> ~[stormjar.jar:?]
> at
> org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498)
> ~[stormjar.jar:?]
> at
> org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424)
> ~[stormjar.jar:?]
> at
> org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:251)
> ~[stormjar.jar:?]
> ... 16 more
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
