Thank you, Casey. That worked! Regards, Anand
From: Casey Stella <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, August 8, 2017 at 7:12 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Threat triage rules using stellar geo enrichment I think you want: GEO_GET( ip_dst_addr, ['country']) != 'US' On Tue, Aug 8, 2017 at 7:29 AM, Anand Subramanian <[email protected]<mailto:[email protected]>> wrote: Hello All, I am trying to write a triage rule where I would like to set the alert score based on Geo enrichment output, as follows. $ cat $METRON_HOME/config/zookeeper/enrichments/snort.json { "enrichment" : { "fieldMap": { "geo": ["ip_dst_addr", "ip_src_addr"], "host": ["host"] } }, "threatIntel" : { "fieldMap": { "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"] }, "fieldToTypeMap": { "ip_src_addr" : ["malicious_ip"], "ip_dst_addr" : ["malicious_ip"] }, "triageConfig" : { "riskLevelRules" : [ { "name" : "Rule 1", "rule" : "not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24')<http://192.168.0.0/24')>)", "score" : 10 }, { "name" : "Rule 2", "rule" : "not(GEO_GET(ip_dst_addr, '[country]'), 'US')", "score" : 20 } ], "aggregator" : "MAX" } } } But I am getting the following error when trying to push the configuration into zookeeper: Exception in thread "main" java.lang.RuntimeException: Unable to load { "enrichment" : { "fieldMap": { "geo": ["ip_dst_addr", "ip_src_addr"], "host": ["host"] } <snip> at org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:54) at org.apache.metron.common.configuration.ConfigurationType.deserialize(ConfigurationType.java:93) at org.apache.metron.common.configuration.ConfigurationsUtils.writeSensorEnrichmentConfigToZookeeper(ConfigurationsUtils.java:123) at org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:265) at org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:226) at org.apache.metron.common.cli.ConfigurationManager.push(ConfigurationManager.java:155) at org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:170) at org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:161) at org.apache.metron.common.cli.ConfigurationManager.main(ConfigurationManager.java:198) Caused by: org.apache.metron.jackson.databind.JsonMappingException: N/A at [Source: { <snip> } ; line: 31, column: 7] (through reference chain: org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig["threatIntel"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig["triageConfig"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig["riskLevelRules"]) at org.apache.metron.jackson.databind.JsonMappingException.from(JsonMappingException.java:262) at org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:537) at org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:518) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:99) at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) at org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) at org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) at org.apache.metron.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3807) at org.apache.metron.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2797) at org.apache.metron.common.utils.JSONUtils.load(JSONUtils.java:65) at org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:52) ... 8 more Caused by: org.antlr.v4.runtime.NoViableAltException at org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894) at org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498) at org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424) at org.apache.metron.stellar.common.generated.StellarParser.transformation_expr(StellarParser.java:287) at org.apache.metron.stellar.common.generated.StellarParser.transformation(StellarParser.java:154) at org.apache.metron.stellar.common.BaseStellarProcessor.compile(BaseStellarProcessor.java:184) at org.apache.metron.stellar.common.BaseStellarProcessor.lambda$parse$1(BaseStellarProcessor.java:146) at org.apache.metron.guava.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4739) at org.apache.metron.guava.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524) at org.apache.metron.guava.cache.LocalCache$Segment.loadSync(LocalCache.java:2317) at org.apache.metron.guava.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2280) at org.apache.metron.guava.cache.LocalCache$Segment.get(LocalCache.java:2195) at org.apache.metron.guava.cache.LocalCache.get(LocalCache.java:3934) at org.apache.metron.guava.cache.LocalCache$LocalManualCache.get(LocalCache.java:4736) at org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:146) at org.apache.metron.stellar.common.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:60) at org.apache.metron.stellar.common.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:37) at org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:237) at org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:199) at org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:61) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:97) ... 22 more Could someone please point out the error with my configuration? Note that I have tested the GEO_GET expression on the stellar shell and it works fine. Thanks, Anand
