[
https://issues.apache.org/jira/browse/METRON-555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15645929#comment-15645929
]
Michael Miklavcic commented on METRON-555:
------------------------------------------
All work reflected in METRON-554
> Require proper error handling when invalid input is fed to Threat triage
> rules
> -------------------------------------------------------------------------------
>
> Key: METRON-555
> URL: https://issues.apache.org/jira/browse/METRON-555
> Project: Metron
> Issue Type: Bug
> Reporter: Neha Sinha
> Assignee: Michael Miklavcic
> Fix For: 0.2.2BETA
>
>
> I am getting the following error/exception for the threat triage as the rule
> on left side does not evaluate to true/false.
> How are we planning to handle such invalid inputs as this impacts enrichment
> and indexing?
> Note :-Tested with bro parser.Have attached the zookeeper config dump for
> reference.
> =========================================================
> *Enrichment Logs*
> =========================================================
> 2016-08-24 09:15:15.505 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] bro: Found
> threat triage config:
> ThreatTriageConfig{riskLevelRules={exists(ip_dst_addr)=0.1,
> TO_LOWER(host)=0.91, exists(ip_dst_port)=0.2, exists(ip_src_port)=0.3},
> aggregator=MAX, aggregationConfig={NEGATIVE_VALUES_TRUMP_CONF=false}}
> 2016-08-24 09:15:15.505 o.a.m.e.b.JoinBolt [ERROR] [Metron] Unable to join
> messages:
> {"adapter.threatinteladapter.end.ts":"1472030115499","adapter.threatinteladapter.begin.ts":"1472030115499","threatintels.hbaseThreatIntel.ip_src_addr":"","threatintels.hbaseThreatIntel.ip_dst_addr":"","source.type":"bro"}
> java.lang.ClassCastException: Cannot cast java.lang.String to
> java.lang.Boolean
> at java.lang.Class.cast(Class.java:3369) ~[?:1.8.0_60]
> at
> org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:58)
> ~[stormjar.jar:?]
> at
> org.apache.metron.common.stellar.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:53)
> ~[stormjar.jar:?]
> at
> org.apache.metron.threatintel.triage.ThreatTriageProcessor.apply(ThreatTriageProcessor.java:58)
> ~[stormjar.jar:?]
> at
> org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:109)
> ~[stormjar.jar:?]
> at
> org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:38)
> ~[stormjar.jar:?]
> at
> org.apache.metron.enrichment.bolt.JoinBolt.execute(JoinBolt.java:111)
> [stormjar.jar:?]
> at
> backtype.storm.daemon.executor$fn__5492$tuple_action_fn__5494.invoke(executor.clj:684)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.daemon.executor$fn__5492$fn__5505$fn__5556.invoke(executor.clj:813)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
> 2016-08-24 09:15:15.505 b.s.d.executor [ERROR]
> java.lang.ClassCastException: Cannot cast java.lang.String to
> java.lang.Boolean
> at java.lang.Class.cast(Class.java:3369) ~[?:1.8.0_60]
> at
> org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:58)
> ~[stormjar.jar:?]
> at
> org.apache.metron.common.stellar.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:53)
> ~[stormjar.jar:?]
> at
> org.apache.metron.threatintel.triage.ThreatTriageProcessor.apply(ThreatTriageProcessor.java:58)
> ~[stormjar.jar:?]
> at
> org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:109)
> ~[stormjar.jar:?]
> at
> org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:38)
> ~[stormjar.jar:?]
> at
> org.apache.metron.enrichment.bolt.JoinBolt.execute(JoinBolt.java:111)
> [stormjar.jar:?]
> at
> backtype.storm.daemon.executor$fn__5492$tuple_action_fn__5494.invoke(executor.clj:684)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at
> backtype.storm.daemon.executor$fn__5492$fn__5505$fn__5556.invoke(executor.clj:813)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479)
> [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
