[METRON-441] Aggregator function "MIN" does not work for threat triage - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Done
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 0.3.0
Labels:
None

Description

The enrichment config in my deployment reads this :-

======================================================
ENRICHMENT Config: snort
{
"index": "snort",
"batchSize": 1,
"threatIntel" : {
"triageConfig" : {
"riskLevelRules" :

{ "ip_dst_addr == '192.168.138.158'" : 92.9 ,"exists(ip_dst_addr)" : 92.01 }

,
"aggregator" : "MIN"
}
}
}
======================================================

The threat.triage.level value is being set to '0' though the rule condition exists(ip_dst_addr) is satisfied.

Enrichment logs :-
=======================================================
2016-08-22 10:50:22.167 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples
2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found sensor enrichment config.
2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found threat triage config: ThreatTriageConfig{riskLevelRules=

{ip_dst_addr == '192.168.138.158'=92.9, exists(ip_dst_addr)=92.01}

, aggregator=MIN, aggregationConfig={}}
2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as triage level 0.0 with rules ip_dst_addr == '192.168.138.158'=92.9
exists(ip_dst_addr)=92.01
=====================================================

Attachments

Issue Links

links to

GitHub Pull Request #309

Activity

People

Assignee:: Casey Stella

Reporter:: Neha Sinha

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 21/Sep/16 04:52

Updated:: 11/Nov/16 15:03

Resolved:: 21/Oct/16 15:13