[METRON-555] Require proper error handling when invalid input is fed to Threat triage rules - ASF JIRA

Details

Type: Bug
Status: Done
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 0.3.0
Labels:
None

Description

I am getting the following error/exception for the threat triage as the rule on left side does not evaluate to true/false.
How are we planning to handle such invalid inputs as this impacts enrichment and indexing?

Note :-Tested with bro parser.Have attached the zookeeper config dump for reference.
=========================================================
Enrichment Logs
=========================================================
2016-08-24 09:15:15.505 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] bro: Found threat triage config: ThreatTriageConfig{riskLevelRules=

{exists(ip_dst_addr)=0.1, TO_LOWER(host)=0.91, exists(ip_dst_port)=0.2, exists(ip_src_port)=0.3}

, aggregator=MAX, aggregationConfig={NEGATIVE_VALUES_TRUMP_CONF=false}}
2016-08-24 09:15:15.505 o.a.m.e.b.JoinBolt [ERROR] [Metron] Unable to join messages:

{"adapter.threatinteladapter.end.ts":"1472030115499","adapter.threatinteladapter.begin.ts":"1472030115499","threatintels.hbaseThreatIntel.ip_src_addr":"","threatintels.hbaseThreatIntel.ip_dst_addr":"","source.type":"bro"}

java.lang.ClassCastException: Cannot cast java.lang.String to java.lang.Boolean
at java.lang.Class.cast(Class.java:3369) ~[?:1.8.0_60]
at org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:58) ~[stormjar.jar:?]
at org.apache.metron.common.stellar.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:53) ~[stormjar.jar:?]
at org.apache.metron.threatintel.triage.ThreatTriageProcessor.apply(ThreatTriageProcessor.java:58) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:109) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:38) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.JoinBolt.execute(JoinBolt.java:111) [stormjar.jar:?]
at backtype.storm.daemon.executor$fn_5492$tuple_action_fn_5494.invoke(executor.clj:684) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.daemon.executor$fn_5492$fn5505$fn_5556.invoke(executor.clj:813) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
2016-08-24 09:15:15.505 b.s.d.executor [ERROR]
java.lang.ClassCastException: Cannot cast java.lang.String to java.lang.Boolean
at java.lang.Class.cast(Class.java:3369) ~[?:1.8.0_60]
at org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:58) ~[stormjar.jar:?]
at org.apache.metron.common.stellar.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:53) ~[stormjar.jar:?]
at org.apache.metron.threatintel.triage.ThreatTriageProcessor.apply(ThreatTriageProcessor.java:58) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:109) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:38) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.JoinBolt.execute(JoinBolt.java:111) [stormjar.jar:?]
at backtype.storm.daemon.executor$fn_5492$tuple_action_fn_5494.invoke(executor.clj:684) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.daemon.executor$fn_5492$fn5505$fn_5556.invoke(executor.clj:813) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]

Attachments

Issue Links

is duplicated by

METRON-554 Require proper error handling when invalid input is fed to Threat triage rules

Done

Require proper error handling when invalid input is fed to Threat triage rules

Details

Description

Attachments

Issue Links

Activity

People

Dates