Just perfect! Thanks much, Simon.

Cheers
Anand

From: Simon Elliston Ball 
<si...@simonellistonball.com<mailto:si...@simonellistonball.com>>
Reply-To: "user@metron.apache.org<mailto:user@metron.apache.org>" 
<user@metron.apache.org<mailto:user@metron.apache.org>>
Date: Tuesday, August 8, 2017 at 7:35 PM
To: "user@metron.apache.org<mailto:user@metron.apache.org>" 
<user@metron.apache.org<mailto:user@metron.apache.org>>
Subject: Re: Threat triage rules using stellar geo enrichment

A much better way of doing this is to run the geo enrichment as part of the 
regular enrichment process and then just use the output field for the rule. 
Your config already does this, so your rule is in effect running the same 
enrichment twice. Just use enrichments.geo.ip_dst_addr.country != ‘US’ for a 
significantly simpler and more performant rule.

Simon


On 8 Aug 2017, at 14:47, Anand Subramanian 
<asubraman...@hortonworks.com<mailto:asubraman...@hortonworks.com>> wrote:

Thank you, Casey. That worked!

Regards,
Anand

From: Casey Stella <ceste...@gmail.com<mailto:ceste...@gmail.com>>
Reply-To: "user@metron.apache.org<mailto:user@metron.apache.org>" 
<user@metron.apache.org<mailto:user@metron.apache.org>>
Date: Tuesday, August 8, 2017 at 7:12 PM
To: "user@metron.apache.org<mailto:user@metron.apache.org>" 
<user@metron.apache.org<mailto:user@metron.apache.org>>
Subject: Re: Threat triage rules using stellar geo enrichment

I think you want:

GEO_GET( ip_dst_addr, ['country']) != 'US'

On Tue, Aug 8, 2017 at 7:29 AM, Anand Subramanian 
<asubraman...@hortonworks.com<mailto:asubraman...@hortonworks.com>> wrote:
Hello All,

I am trying to write a triage rule where I would like to set the alert score 
based on Geo enrichment output, as follows.

$ cat $METRON_HOME/config/zookeeper/enrichments/snort.json
{
  "enrichment" : {
    "fieldMap":
      {
      "geo": ["ip_dst_addr", "ip_src_addr"],
      "host": ["host"]
    }
  },
  "threatIntel" : {
    "fieldMap":
      {
      "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
    },
    "fieldToTypeMap":
      {
      "ip_src_addr" : ["malicious_ip"],
      "ip_dst_addr" : ["malicious_ip"]
    },
    "triageConfig" : {
      "riskLevelRules" : [
        {
          "name" : "Rule 1",
          "rule" : "not(IN_SUBNET(ip_dst_addr, 
'192.168.0.0/24')<http://192.168.0.0/24')>)",
          "score" : 10
        },
        {
          "name" : "Rule 2",
          "rule" : "not(GEO_GET(ip_dst_addr, '[country]'), 'US')",
          "score" : 20
        }
      ],
      "aggregator" : "MAX"
    }
  }
}

But I am getting the following error when trying to push the configuration into 
zookeeper:

Exception in thread "main" java.lang.RuntimeException: Unable to load {
  "enrichment" : {
    "fieldMap":
      {
      "geo": ["ip_dst_addr", "ip_src_addr"],
      "host": ["host"]
    }
<snip>
at 
org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:54)
at 
org.apache.metron.common.configuration.ConfigurationType.deserialize(ConfigurationType.java:93)
at 
org.apache.metron.common.configuration.ConfigurationsUtils.writeSensorEnrichmentConfigToZookeeper(ConfigurationsUtils.java:123)
at 
org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:265)
at 
org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:226)
at 
org.apache.metron.common.cli.ConfigurationManager.push(ConfigurationManager.java:155)
at 
org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:170)
at 
org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:161)
at 
org.apache.metron.common.cli.ConfigurationManager.main(ConfigurationManager.java:198)
Caused by: org.apache.metron.jackson.databind.JsonMappingException: N/A
 at [Source: {
<snip>
}
; line: 31, column: 7] (through reference chain: 
org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig["threatIntel"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig["triageConfig"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig["riskLevelRules"])
at 
org.apache.metron.jackson.databind.JsonMappingException.from(JsonMappingException.java:262)
at 
org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:537)
at 
org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:518)
at 
org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:99)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125)
at 
org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490)
at 
org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125)
at 
org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490)
at 
org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260)
at 
org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125)
at 
org.apache.metron.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3807)
at 
org.apache.metron.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2797)
at org.apache.metron.common.utils.JSONUtils.load(JSONUtils.java:65)
at 
org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:52)
... 8 more
Caused by: org.antlr.v4.runtime.NoViableAltException
at 
org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894)
at 
org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498)
at 
org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424)
at 
org.apache.metron.stellar.common.generated.StellarParser.transformation_expr(StellarParser.java:287)
at 
org.apache.metron.stellar.common.generated.StellarParser.transformation(StellarParser.java:154)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.compile(BaseStellarProcessor.java:184)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.lambda$parse$1(BaseStellarProcessor.java:146)
at 
org.apache.metron.guava.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4739)
at 
org.apache.metron.guava.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524)
at 
org.apache.metron.guava.cache.LocalCache$Segment.loadSync(LocalCache.java:2317)
at 
org.apache.metron.guava.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2280)
at org.apache.metron.guava.cache.LocalCache$Segment.get(LocalCache.java:2195)
at org.apache.metron.guava.cache.LocalCache.get(LocalCache.java:3934)
at 
org.apache.metron.guava.cache.LocalCache$LocalManualCache.get(LocalCache.java:4736)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:146)
at 
org.apache.metron.stellar.common.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:60)
at 
org.apache.metron.stellar.common.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:37)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:237)
at 
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:199)
at 
org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:61)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:97)
... 22 more

Could someone please point out the error with my configuration? Note that I 
have tested the GEO_GET expression on the stellar shell and it works fine.

Thanks,
Anand


Reply via email to