Threat triage rules using stellar geo enrichment

Tue, 08 Aug 2017 04:31:07 -0700 

Hello All,

I am trying to write a triage rule where I would like to set the alert score 
based on Geo enrichment output, as follows.

$ cat $METRON_HOME/config/zookeeper/enrichments/snort.json
{
  "enrichment" : {
    "fieldMap":
      {
      "geo": ["ip_dst_addr", "ip_src_addr"],
      "host": ["host"]
    }
  },
  "threatIntel" : {
    "fieldMap":
      {
      "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
    },
    "fieldToTypeMap":
      {
      "ip_src_addr" : ["malicious_ip"],
      "ip_dst_addr" : ["malicious_ip"]
    },
    "triageConfig" : {
      "riskLevelRules" : [
        {
          "name" : "Rule 1",
          "rule" : "not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24'))",
          "score" : 10
        },
        {
          "name" : "Rule 2",
          "rule" : "not(GEO_GET(ip_dst_addr, '[country]'), 'US')",
          "score" : 20
        }
      ],
      "aggregator" : "MAX"
    }
  }
}

But I am getting the following error when trying to push the configuration into 
zookeeper:

Exception in thread "main" java.lang.RuntimeException: Unable to load {
  "enrichment" : {
    "fieldMap":
      {
      "geo": ["ip_dst_addr", "ip_src_addr"],
      "host": ["host"]
    }
<snip>
at 
org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:54)
at 
org.apache.metron.common.configuration.ConfigurationType.deserialize(ConfigurationType.java:93)
at 
org.apache.metron.common.configuration.ConfigurationsUtils.writeSensorEnrichmentConfigToZookeeper(ConfigurationsUtils.java:123)
at 
org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:265)
at 
org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:226)
at 
org.apache.metron.common.cli.ConfigurationManager.push(ConfigurationManager.java:155)
at 
org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:170)
at 
org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:161)
at 
org.apache.metron.common.cli.ConfigurationManager.main(ConfigurationManager.java:198)
Caused by: org.apache.metron.jackson.databind.JsonMappingException: N/A
 at [Source: {
<snip>
}
; line: 31, column: 7] (through reference chain: 
org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig["threatIntel"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig["triageConfig"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig["riskLevelRules"])
at 
org.apache.metron.jackson.databind.JsonMappingException.from(JsonMappingException.java:262)
at 
org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:537)
at 
org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:518)
at 
org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:99)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125)
at 
org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490)
at 
org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125)
at 
org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490)
at 
org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125)
at 
org.apache.metron.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3807)
at 
org.apache.metron.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2797)
at org.apache.metron.common.utils.JSONUtils.load(JSONUtils.java:65)
at 
org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:52)
... 8 more
Caused by: org.antlr.v4.runtime.NoViableAltException
at 
org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894)
at 
org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498)
at 
org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424)
at 
org.apache.metron.stellar.common.generated.StellarParser.transformation_expr(StellarParser.java:287)
at 
org.apache.metron.stellar.common.generated.StellarParser.transformation(StellarParser.java:154)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.compile(BaseStellarProcessor.java:184)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.lambda$parse$1(BaseStellarProcessor.java:146)
at 
org.apache.metron.guava.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4739)
at 
org.apache.metron.guava.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524)
at 
org.apache.metron.guava.cache.LocalCache$Segment.loadSync(LocalCache.java:2317)
at 
org.apache.metron.guava.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2280)
at org.apache.metron.guava.cache.LocalCache$Segment.get(LocalCache.java:2195)
at org.apache.metron.guava.cache.LocalCache.get(LocalCache.java:3934)
at 
org.apache.metron.guava.cache.LocalCache$LocalManualCache.get(LocalCache.java:4736)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:146)
at 
org.apache.metron.stellar.common.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:60)
at 
org.apache.metron.stellar.common.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:37)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:237)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:199)
at 
org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:61)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:97)
... 22 more

Could someone please point out the error with my configuration? Note that I 
have tested the GEO_GET expression on the stellar shell and it works fine.

Thanks,
Anand

Reply via email to