[jira] [Updated] (METRON-425) Stellar transformation fails to handle special characters

Wed, 02 Nov 2016 11:54:28 -0700 

     [ 
https://issues.apache.org/jira/browse/METRON-425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Casey Stella updated METRON-425:
--------------------------------
    Fix Version/s: 0.2.2BETA

> Stellar transformation fails to handle special characters
> ---------------------------------------------------------
>
>                 Key: METRON-425
>                 URL: https://issues.apache.org/jira/browse/METRON-425
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Neha Sinha
>            Assignee: Otto Fowler
>             Fix For: 0.2.2BETA
>
>
> I updated the snort parser file to have the following stellar transformation 
> :-
> PARSER Config: snort
> {
>   "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser",
>   "sensorTopic":"snort",
>   "parserConfig": {},
> "fieldTransformations" : [
> {
> "transformation" : "STELLAR"
> ,"output" : [ "is_alert","newStellarField","isAlert"]
> ,"config" :
> { "is_alert" : "false",
> "isAlert" : "false",
> "newStellarField" : "<<??>>" }
> }
> ]
> }
> I get the following exception/error for the snort logs :-
> 2016-09-13 11:30:32.765 o.a.m.p.BasicParser [TRACE] [Metron] Message conforms 
> to schema: {"msg":"\"'snort test 
> alert'\"","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0x5869E532","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xFA02","icmpseq":"","tcpack":"0x3E05E218","protocol":"TCP","ip_dst_addr":"72.34.49.86","original_string":"09\/13-11:30:25.703857
>  ,1,999158,0,\"'snort test 
> alert'\",TCP,192.168.138.158,49204,72.34.49.86,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0x5869E532,0x3E05E218,,0xFA02,128,0,2508,40,40960,,,,","icmpcode":"","tos":"0","id":"2508","ip_src_addr":"192.168.138.158","timestamp":1473766928857,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49204","tcpflags":"***A****","sig_id":"999158","sig_generator":"1"}
> 2016-09-13 11:30:32.766 b.s.d.executor [ERROR] 
> org.apache.metron.common.dsl.ParseException: Syntax error @ 1:0 no viable 
> alternative at input '<'
>       at 
> org.apache.metron.common.dsl.ErrorListener.syntaxError(ErrorListener.java:34) 
> ~[stormjar.jar:?]
>       at 
> org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65)
>  ~[stormjar.jar:?]
>       at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:558) 
> ~[stormjar.jar:?]
>       at 
> org.antlr.v4.runtime.DefaultErrorStrategy.reportNoViableAlternative(DefaultErrorStrategy.java:310)
>  ~[stormjar.jar:?]
>       at 
> org.antlr.v4.runtime.DefaultErrorStrategy.reportError(DefaultErrorStrategy.java:147)
>  ~[stormjar.jar:?]
>       at 
> org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:300)
>  ~[stormjar.jar:?]
>       at 
> org.apache.metron.common.stellar.generated.StellarParser.transformation(StellarParser.java:146)
>  ~[stormjar.jar:?]
>       at 
> org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:92)
>  ~[stormjar.jar:?]
>       at 
> org.apache.metron.common.field.transformation.StellarTransformation.map(StellarTransformation.java:46)
>  ~[stormjar.jar:?]
>       at 
> org.apache.metron.common.configuration.FieldTransformer.transform(FieldTransformer.java:111)
>  ~[stormjar.jar:?]
>       at 
> org.apache.metron.common.configuration.FieldTransformer.transformAndUpdate(FieldTransformer.java:123)
>  ~[stormjar.jar:?]
>       at 
> org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:125) 
> [stormjar.jar:?]
>       at 
> backtype.storm.daemon.executor$fn__5492$tuple_action_fn__5494.invoke(executor.clj:684)
>  [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
>       at 
> backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431)
>  [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
>       at 
> backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58)
>  [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
>       at 
> backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125)
>  [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
>       at 
> backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99)
>  [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
>       at 
> backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80)
>  [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
>       at 
> backtype.storm.daemon.executor$fn__5492$fn__5505$fn__5556.invoke(executor.clj:813)
>  [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
>       at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479) 
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
>       at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
>       at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
> Caused by: org.antlr.v4.runtime.NoViableAltException
>       at 
> org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894)
>  ~[stormjar.jar:?]
>       at 
> org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498)
>  ~[stormjar.jar:?]
>       at 
> org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424)
>  ~[stormjar.jar:?]
>       at 
> org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:251)
>  ~[stormjar.jar:?]
>       ... 16 more



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to