Uploaded image for project: 'Metron (Retired)'
  1. Metron (Retired)
  2. METRON-293

indexingBolt errors out for bro logs having IPV6 address or FQDNs

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Done
    • Priority: Minor
    • Resolution: Done
    • Affects Version/s: 0.2.1BETA
    • Fix Version/s: None
    • Labels:
      None

      Description

      Hi,
      So i am injecting the following bro log that has IPV6 addresses :-
      {"http": {"ts":1467617777.886267,"uid":"CXkPNR186cdD0rqPi","id.orig_h":"2001:cdba:0:0:0:0:3257:9652","id.orig_p":49191,"id.resp_h":"2001:cdba:0:0:0:0:3257:9651","id.resp_p":80,"trans_depth":1,"method":"GET","host":"62.75.195.236","uri":"/?3a08b0be8322c244f5a1cb9c1057d941","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","request_body_len":0,"response_body_len":0,"status_code":200,"status_msg":"OK","tags":[]}}

      The bro parser parses the above log all good but I happen to see error with the enrichment indexingBolt.
      Please find attached the stacktrace for enrichment indexing bolt and also the storm log captured for bro parser.

      Regards,
      Neha

        Attachments

        1. Screen Shot 2016-07-08 at 4.59.56 PM.png
          937 kB
          Neha Sinha
        2. enrichment_indexingBolt_error_stack_trace.rtf
          4 kB
          Neha Sinha
        3. day1.pcap.gz
          2.75 MB
          Anand Subramanian
        4. bro_ipv6_address.rtf
          11 kB
          Neha Sinha

          Issue Links

            Activity

              People

              • Assignee:
                nickwallen Nick Allen
                Reporter:
                nsinha17 Neha Sinha
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: