[jira] [Commented] (METRON-441) Aggregator function "MIN" does not work for threat triage

Fri, 14 Oct 2016 07:48:39 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15575552#comment-15575552
 ] 

ASF GitHub Bot commented on METRON-441:
---------------------------------------

GitHub user cestella opened a pull request:

    https://github.com/apache/incubator-metron/pull/309

    METRON-441: Aggregator function "MIN" does not work for threat triage

    If you are aggregating a series of strictly positive numbers, `MIN` does 
not function properly (returns `0` instead of the real minimum).

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/cestella/incubator-metron METRON-441

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-metron/pull/309.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #309
    
----
commit 4f70f1630a524681b3294d113a6c01a521537ed4
Author: cstella <ceste...@gmail.com>
Date:   2016-10-14T14:45:44Z

    METRON-441: Min is broken.

----


> Aggregator function "MIN" does not work for threat triage
> ---------------------------------------------------------
>
>                 Key: METRON-441
>                 URL: https://issues.apache.org/jira/browse/METRON-441
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Neha Sinha
>             Fix For: 0.2.2BETA
>
>
> The enrichment config in my deployment reads this :-
> ======================================================
> ENRICHMENT Config: snort
> {
>   "index": "snort",
>   "batchSize": 1,
>   "threatIntel" : {
>     "triageConfig" : {
>       "riskLevelRules" : {
>         "ip_dst_addr == '192.168.138.158'" : 92.9
>               ,"exists(ip_dst_addr)" : 92.01
>       },
>      "aggregator" : "MIN"
>     }
>   }
> }
> ======================================================
> The threat.triage.level value is being set to '0' though the rule condition 
> exists(ip_dst_addr) is satisfied.
> Enrichment logs :-
> =======================================================
> 2016-08-22 10:50:22.167 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples
> 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found 
> sensor enrichment config.
> 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found 
> threat triage config: ThreatTriageConfig{riskLevelRules={ip_dst_addr == 
> '192.168.138.158'=92.9, exists(ip_dst_addr)=92.01}, aggregator=MIN, 
> aggregationConfig={}}
> 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as 
> triage level 0.0 with rules ip_dst_addr == '192.168.138.158'=92.9
> exists(ip_dst_addr)=92.01
> =====================================================



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to