Details
Description
Querying CNAME records returns nested answers, e.g. fedora.aau.at.
;; ANSWER SECTION: fedora.aau.at. 239 IN CNAME www-rpm.aau.at. www-rpm.aau.at. 149 IN A 143.205.180.155
This seems to get past the BasicBroParser but when it it comes to indexing, the bro es template expects type ip, not nested string/ip.
{
"TTLs":[
445.0,
414.0
],
"bro_timestamp":"1.472812583319753E9",
"ip_dst_port":53,
"threatinteljoinbolt:joiner:ts":"1472812589689",
"rejected":false,
"answers":[
"www-rpm.aau.at",
"143.205.180.155"
],
"enrichmentsplitterbolt:splitter:begin:ts":"1472812589689",
"enrichmentjoinbolt:joiner:ts":"1472812589689",
"trans_id":802,
"adapter:geoadapter:begin:ts":"1472812589689",
"uid":"C6jPJB1uNqfcJmUPMd",
"protocol":"dns",
"source:type":"bro",
"adapter:threatinteladapter:end:ts":"1472812589689",
"original_string":"DNS | AA:false TTLs:[445.0,414.0] id.orig_p:47902 rejected:false id.resp_p:53 query:fedora.aau.at answers:[\"www-rpm.aau.at\",\"143.205.180.155\"] trans_id:802 rcode:0 rcode_name:NOERROR TC:false RA:true uid:C6jPJB1uNqfcJmUPMd RD:false proto:udp id.orig_h:10.150.194.160 Z:0 ts:1.472812583319753E9 id.resp_h:10.150.194.5",
"ip_dst_addr":"10.150.194.5",
"adapter:hostfromjsonlistadapter:end:ts":"1472812589689",
"Z":0,
"adapter:geoadapter:end:ts":"1472812589689",
"ip_src_addr":"10.150.194.160",
"threatintelsplitterbolt:splitter:end:ts":"1472812589689",
"timestamp":1472812583319,
"AA":false,
"enrichmentsplitterbolt:splitter:end:ts":"1472812589689",
"query":"fedora.aau.at",
"rcode":0,
"adapter:hostfromjsonlistadapter:begin:ts":"1472812589689",
"rcode_name":"NOERROR",
"TC":false,
"RA":true,
"RD":false,
"ip_src_port":47902,
"proto":"udp",
"threatintelsplitterbolt:splitter:begin:ts":"1472812589689",
"adapter:threatinteladapter:begin:ts":"1472812589689"
}
throws
nested:IllegalArgumentException[
failed to parse ip [
www-rpm.aau.at
],
not a valid ip address
];
from bro_index.template
{
"answers": {
"type": "ip"
},
Attachments
Issue Links
- relates to
-
METRON-293 indexingBolt errors out for bro logs having IPV6 address or FQDNs
-
- Done
-
- links to
