I think you want:

GEO_GET( ip_dst_addr, ['country']) != 'US'

On Tue, Aug 8, 2017 at 7:29 AM, Anand Subramanian <
asubraman...@hortonworks.com> wrote:

> Hello All,
>
> I am trying to write a triage rule where I would like to set the alert
> score based on Geo enrichment output, as follows.
>
> $ cat $METRON_HOME/config/zookeeper/enrichments/snort.json
> {
>   "enrichment" : {
>     "fieldMap":
>       {
>       "geo": ["ip_dst_addr", "ip_src_addr"],
>       "host": ["host"]
>     }
>   },
>   "threatIntel" : {
>     "fieldMap":
>       {
>       "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
>     },
>     "fieldToTypeMap":
>       {
>       "ip_src_addr" : ["malicious_ip"],
>       "ip_dst_addr" : ["malicious_ip"]
>     },
>     "triageConfig" : {
>       "riskLevelRules" : [
>         {
>           "name" : "Rule 1",
>           "rule" : "not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24'))",
>           "score" : 10
>         },
>         {
>           "name" : "Rule 2",
> *          "rule" : "not(GEO_GET(ip_dst_addr, '[country]'), 'US')",*
>           "score" : 20
>         }
>       ],
>       "aggregator" : "MAX"
>     }
>   }
> }
>
> But I am getting the following error when trying to push the configuration
> into zookeeper:
>
> Exception in thread "main" java.lang.RuntimeException: Unable to load {
>   "enrichment" : {
>     "fieldMap":
>       {
>       "geo": ["ip_dst_addr", "ip_src_addr"],
>       "host": ["host"]
>     }
> <snip>
> at org.apache.metron.common.configuration.ConfigurationType.lambda$
> static$2(ConfigurationType.java:54)
> at org.apache.metron.common.configuration.ConfigurationType.deserialize(
> ConfigurationType.java:93)
> at org.apache.metron.common.configuration.ConfigurationsUtils.
> writeSensorEnrichmentConfigToZookeeper(ConfigurationsUtils.java:123)
> at org.apache.metron.common.configuration.ConfigurationsUtils.
> uploadConfigsToZookeeper(ConfigurationsUtils.java:265)
> at org.apache.metron.common.configuration.ConfigurationsUtils.
> uploadConfigsToZookeeper(ConfigurationsUtils.java:226)
> at org.apache.metron.common.cli.ConfigurationManager.push(
> ConfigurationManager.java:155)
> at org.apache.metron.common.cli.ConfigurationManager.run(
> ConfigurationManager.java:170)
> at org.apache.metron.common.cli.ConfigurationManager.run(
> ConfigurationManager.java:161)
> at org.apache.metron.common.cli.ConfigurationManager.main(
> ConfigurationManager.java:198)
> Caused by: org.apache.metron.jackson.databind.JsonMappingException: N/A
>  at [Source: {
> <snip>
> }
> ; line: 31, column: 7] (through reference chain: org.apache.metron.common.
> configuration.enrichment.SensorEnrichmentConfig["
> threatIntel"]->org.apache.metron.common.configuration.
> enrichment.threatintel.ThreatIntelConfig["triageConfig"]->org.apache.
> metron.common.configuration.enrichment.threatintel.ThreatTriageConfig["
> riskLevelRules"])
> at org.apache.metron.jackson.databind.JsonMappingException.
> from(JsonMappingException.java:262)
> at org.apache.metron.jackson.databind.deser.SettableBeanProperty._
> throwAsIOE(SettableBeanProperty.java:537)
> at org.apache.metron.jackson.databind.deser.SettableBeanProperty._
> throwAsIOE(SettableBeanProperty.java:518)
> at org.apache.metron.jackson.databind.deser.impl.MethodProperty.
> deserializeAndSet(MethodProperty.java:99)
> at org.apache.metron.jackson.databind.deser.BeanDeserializer.
> vanillaDeserialize(BeanDeserializer.java:260)
> at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(
> BeanDeserializer.java:125)
> at org.apache.metron.jackson.databind.deser.SettableBeanProperty.
> deserialize(SettableBeanProperty.java:490)
> at org.apache.metron.jackson.databind.deser.impl.MethodProperty.
> deserializeAndSet(MethodProperty.java:95)
> at org.apache.metron.jackson.databind.deser.BeanDeserializer.
> vanillaDeserialize(BeanDeserializer.java:260)
> at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(
> BeanDeserializer.java:125)
> at org.apache.metron.jackson.databind.deser.SettableBeanProperty.
> deserialize(SettableBeanProperty.java:490)
> at org.apache.metron.jackson.databind.deser.impl.MethodProperty.
> deserializeAndSet(MethodProperty.java:95)
> at org.apache.metron.jackson.databind.deser.BeanDeserializer.
> vanillaDeserialize(BeanDeserializer.java:260)
> at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(
> BeanDeserializer.java:125)
> at org.apache.metron.jackson.databind.ObjectMapper._
> readMapAndClose(ObjectMapper.java:3807)
> at org.apache.metron.jackson.databind.ObjectMapper.
> readValue(ObjectMapper.java:2797)
> at org.apache.metron.common.utils.JSONUtils.load(JSONUtils.java:65)
> at org.apache.metron.common.configuration.ConfigurationType.lambda$
> static$2(ConfigurationType.java:52)
> ... 8 more
> Caused by: org.antlr.v4.runtime.NoViableAltException
> at org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(
> ParserATNSimulator.java:1894)
> at org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(
> ParserATNSimulator.java:498)
> at org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(
> ParserATNSimulator.java:424)
> at org.apache.metron.stellar.common.generated.
> StellarParser.transformation_expr(StellarParser.java:287)
> at org.apache.metron.stellar.common.generated.
> StellarParser.transformation(StellarParser.java:154)
> at org.apache.metron.stellar.common.BaseStellarProcessor.
> compile(BaseStellarProcessor.java:184)
> at org.apache.metron.stellar.common.BaseStellarProcessor.lambda$parse$1(
> BaseStellarProcessor.java:146)
> at org.apache.metron.guava.cache.LocalCache$LocalManualCache$1.
> load(LocalCache.java:4739)
> at org.apache.metron.guava.cache.LocalCache$LoadingValueReference.
> loadFuture(LocalCache.java:3524)
> at org.apache.metron.guava.cache.LocalCache$Segment.loadSync(
> LocalCache.java:2317)
> at org.apache.metron.guava.cache.LocalCache$Segment.
> lockedGetOrLoad(LocalCache.java:2280)
> at org.apache.metron.guava.cache.LocalCache$Segment.get(
> LocalCache.java:2195)
> at org.apache.metron.guava.cache.LocalCache.get(LocalCache.java:3934)
> at org.apache.metron.guava.cache.LocalCache$LocalManualCache.
> get(LocalCache.java:4736)
> at org.apache.metron.stellar.common.BaseStellarProcessor.
> parse(BaseStellarProcessor.java:146)
> at org.apache.metron.stellar.common.StellarPredicateProcessor.parse(
> StellarPredicateProcessor.java:60)
> at org.apache.metron.stellar.common.StellarPredicateProcessor.parse(
> StellarPredicateProcessor.java:37)
> at org.apache.metron.stellar.common.BaseStellarProcessor.
> validate(BaseStellarProcessor.java:237)
> at org.apache.metron.stellar.common.BaseStellarProcessor.
> validate(BaseStellarProcessor.java:199)
> at org.apache.metron.common.configuration.enrichment.threatintel.
> ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:61)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.metron.jackson.databind.deser.impl.MethodProperty.
> deserializeAndSet(MethodProperty.java:97)
> ... 22 more
>
> Could someone please point out the error with my configuration? Note that
> I have tested the GEO_GET expression on the stellar shell and it works
> fine.
>
> Thanks,
> Anand
>

Reply via email to