Uploaded image for project: 'Metron (Retired)'
  1. Metron (Retired)
  2. METRON-507

Elasticsearch is incorrectly indexing the Bro DNS "answers" field

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Done
    • None
    • 0.3.0
    • None
    • Important

    Description

      Currently the template provided to Elasticsearch for bro logs is assuming that it will get an ip address in the answers field of a Bro DNS log, however that is not always true. Depending on the type of record being received, the contents could vary between IPs, domain names, or character strings. Various RFCs outline this, however a good starting point is RFC 1035 section 3.3.

      Example error:
      [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message [MapperParsingException[failed to parse [answers]]; nested: IllegalArgumentException[failed to parse ip [something.example.com], not a valid ip address];]

      Attachments

        Activity

          People

            Unassigned Unassigned
            jonzeolla Jon Zeolla
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 10m
                10m
                Remaining:
                Remaining Estimate - 10m
                10m
                Logged:
                Time Spent - Not Specified
                Not Specified