[ https://issues.apache.org/jira/browse/METRON-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15575552#comment-15575552 ]
ASF GitHub Bot commented on METRON-441: --------------------------------------- GitHub user cestella opened a pull request: https://github.com/apache/incubator-metron/pull/309 METRON-441: Aggregator function "MIN" does not work for threat triage If you are aggregating a series of strictly positive numbers, `MIN` does not function properly (returns `0` instead of the real minimum). You can merge this pull request into a Git repository by running: $ git pull https://github.com/cestella/incubator-metron METRON-441 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/incubator-metron/pull/309.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #309 ---- commit 4f70f1630a524681b3294d113a6c01a521537ed4 Author: cstella <ceste...@gmail.com> Date: 2016-10-14T14:45:44Z METRON-441: Min is broken. ---- > Aggregator function "MIN" does not work for threat triage > --------------------------------------------------------- > > Key: METRON-441 > URL: https://issues.apache.org/jira/browse/METRON-441 > Project: Metron > Issue Type: Bug > Reporter: Neha Sinha > Fix For: 0.2.2BETA > > > The enrichment config in my deployment reads this :- > ====================================================== > ENRICHMENT Config: snort > { > "index": "snort", > "batchSize": 1, > "threatIntel" : { > "triageConfig" : { > "riskLevelRules" : { > "ip_dst_addr == '192.168.138.158'" : 92.9 > ,"exists(ip_dst_addr)" : 92.01 > }, > "aggregator" : "MIN" > } > } > } > ====================================================== > The threat.triage.level value is being set to '0' though the rule condition > exists(ip_dst_addr) is satisfied. > Enrichment logs :- > ======================================================= > 2016-08-22 10:50:22.167 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples > 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found > sensor enrichment config. > 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found > threat triage config: ThreatTriageConfig{riskLevelRules={ip_dst_addr == > '192.168.138.158'=92.9, exists(ip_dst_addr)=92.01}, aggregator=MIN, > aggregationConfig={}} > 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as > triage level 0.0 with rules ip_dst_addr == '192.168.138.158'=92.9 > exists(ip_dst_addr)=92.01 > ===================================================== -- This message was sent by Atlassian JIRA (v6.3.4#6332)