I think you want: GEO_GET( ip_dst_addr, ['country']) != 'US'
On Tue, Aug 8, 2017 at 7:29 AM, Anand Subramanian < [email protected]> wrote: > Hello All, > > I am trying to write a triage rule where I would like to set the alert > score based on Geo enrichment output, as follows. > > $ cat $METRON_HOME/config/zookeeper/enrichments/snort.json > { > "enrichment" : { > "fieldMap": > { > "geo": ["ip_dst_addr", "ip_src_addr"], > "host": ["host"] > } > }, > "threatIntel" : { > "fieldMap": > { > "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"] > }, > "fieldToTypeMap": > { > "ip_src_addr" : ["malicious_ip"], > "ip_dst_addr" : ["malicious_ip"] > }, > "triageConfig" : { > "riskLevelRules" : [ > { > "name" : "Rule 1", > "rule" : "not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24'))", > "score" : 10 > }, > { > "name" : "Rule 2", > * "rule" : "not(GEO_GET(ip_dst_addr, '[country]'), 'US')",* > "score" : 20 > } > ], > "aggregator" : "MAX" > } > } > } > > But I am getting the following error when trying to push the configuration > into zookeeper: > > Exception in thread "main" java.lang.RuntimeException: Unable to load { > "enrichment" : { > "fieldMap": > { > "geo": ["ip_dst_addr", "ip_src_addr"], > "host": ["host"] > } > <snip> > at org.apache.metron.common.configuration.ConfigurationType.lambda$ > static$2(ConfigurationType.java:54) > at org.apache.metron.common.configuration.ConfigurationType.deserialize( > ConfigurationType.java:93) > at org.apache.metron.common.configuration.ConfigurationsUtils. > writeSensorEnrichmentConfigToZookeeper(ConfigurationsUtils.java:123) > at org.apache.metron.common.configuration.ConfigurationsUtils. > uploadConfigsToZookeeper(ConfigurationsUtils.java:265) > at org.apache.metron.common.configuration.ConfigurationsUtils. > uploadConfigsToZookeeper(ConfigurationsUtils.java:226) > at org.apache.metron.common.cli.ConfigurationManager.push( > ConfigurationManager.java:155) > at org.apache.metron.common.cli.ConfigurationManager.run( > ConfigurationManager.java:170) > at org.apache.metron.common.cli.ConfigurationManager.run( > ConfigurationManager.java:161) > at org.apache.metron.common.cli.ConfigurationManager.main( > ConfigurationManager.java:198) > Caused by: org.apache.metron.jackson.databind.JsonMappingException: N/A > at [Source: { > <snip> > } > ; line: 31, column: 7] (through reference chain: org.apache.metron.common. > configuration.enrichment.SensorEnrichmentConfig[" > threatIntel"]->org.apache.metron.common.configuration. > enrichment.threatintel.ThreatIntelConfig["triageConfig"]->org.apache. > metron.common.configuration.enrichment.threatintel.ThreatTriageConfig[" > riskLevelRules"]) > at org.apache.metron.jackson.databind.JsonMappingException. > from(JsonMappingException.java:262) > at org.apache.metron.jackson.databind.deser.SettableBeanProperty._ > throwAsIOE(SettableBeanProperty.java:537) > at org.apache.metron.jackson.databind.deser.SettableBeanProperty._ > throwAsIOE(SettableBeanProperty.java:518) > at org.apache.metron.jackson.databind.deser.impl.MethodProperty. > deserializeAndSet(MethodProperty.java:99) > at org.apache.metron.jackson.databind.deser.BeanDeserializer. > vanillaDeserialize(BeanDeserializer.java:260) > at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize( > BeanDeserializer.java:125) > at org.apache.metron.jackson.databind.deser.SettableBeanProperty. > deserialize(SettableBeanProperty.java:490) > at org.apache.metron.jackson.databind.deser.impl.MethodProperty. > deserializeAndSet(MethodProperty.java:95) > at org.apache.metron.jackson.databind.deser.BeanDeserializer. > vanillaDeserialize(BeanDeserializer.java:260) > at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize( > BeanDeserializer.java:125) > at org.apache.metron.jackson.databind.deser.SettableBeanProperty. > deserialize(SettableBeanProperty.java:490) > at org.apache.metron.jackson.databind.deser.impl.MethodProperty. > deserializeAndSet(MethodProperty.java:95) > at org.apache.metron.jackson.databind.deser.BeanDeserializer. > vanillaDeserialize(BeanDeserializer.java:260) > at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize( > BeanDeserializer.java:125) > at org.apache.metron.jackson.databind.ObjectMapper._ > readMapAndClose(ObjectMapper.java:3807) > at org.apache.metron.jackson.databind.ObjectMapper. > readValue(ObjectMapper.java:2797) > at org.apache.metron.common.utils.JSONUtils.load(JSONUtils.java:65) > at org.apache.metron.common.configuration.ConfigurationType.lambda$ > static$2(ConfigurationType.java:52) > ... 8 more > Caused by: org.antlr.v4.runtime.NoViableAltException > at org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt( > ParserATNSimulator.java:1894) > at org.antlr.v4.runtime.atn.ParserATNSimulator.execATN( > ParserATNSimulator.java:498) > at org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict( > ParserATNSimulator.java:424) > at org.apache.metron.stellar.common.generated. > StellarParser.transformation_expr(StellarParser.java:287) > at org.apache.metron.stellar.common.generated. > StellarParser.transformation(StellarParser.java:154) > at org.apache.metron.stellar.common.BaseStellarProcessor. > compile(BaseStellarProcessor.java:184) > at org.apache.metron.stellar.common.BaseStellarProcessor.lambda$parse$1( > BaseStellarProcessor.java:146) > at org.apache.metron.guava.cache.LocalCache$LocalManualCache$1. > load(LocalCache.java:4739) > at org.apache.metron.guava.cache.LocalCache$LoadingValueReference. > loadFuture(LocalCache.java:3524) > at org.apache.metron.guava.cache.LocalCache$Segment.loadSync( > LocalCache.java:2317) > at org.apache.metron.guava.cache.LocalCache$Segment. > lockedGetOrLoad(LocalCache.java:2280) > at org.apache.metron.guava.cache.LocalCache$Segment.get( > LocalCache.java:2195) > at org.apache.metron.guava.cache.LocalCache.get(LocalCache.java:3934) > at org.apache.metron.guava.cache.LocalCache$LocalManualCache. > get(LocalCache.java:4736) > at org.apache.metron.stellar.common.BaseStellarProcessor. > parse(BaseStellarProcessor.java:146) > at org.apache.metron.stellar.common.StellarPredicateProcessor.parse( > StellarPredicateProcessor.java:60) > at org.apache.metron.stellar.common.StellarPredicateProcessor.parse( > StellarPredicateProcessor.java:37) > at org.apache.metron.stellar.common.BaseStellarProcessor. > validate(BaseStellarProcessor.java:237) > at org.apache.metron.stellar.common.BaseStellarProcessor. > validate(BaseStellarProcessor.java:199) > at org.apache.metron.common.configuration.enrichment.threatintel. > ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:61) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.metron.jackson.databind.deser.impl.MethodProperty. > deserializeAndSet(MethodProperty.java:97) > ... 22 more > > Could someone please point out the error with my configuration? Note that > I have tested the GEO_GET expression on the stellar shell and it works > fine. > > Thanks, > Anand >
