Details
-
Bug
-
Status: Done
-
Major
-
Resolution: Done
-
None
-
None
Description
I am getting the following error/exception for the threat triage as the rule on left side does not evaluate to true/false.
How are we planning to handle such invalid inputs as this impacts enrichment and indexing?
Note :-Tested with bro parser.Have attached the zookeeper config dump for reference.
=========================================================
Enrichment Logs
=========================================================
2016-08-24 09:15:15.505 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] bro: Found threat triage config: ThreatTriageConfig{riskLevelRules=
, aggregator=MAX, aggregationConfig={NEGATIVE_VALUES_TRUMP_CONF=false}}
2016-08-24 09:15:15.505 o.a.m.e.b.JoinBolt [ERROR] [Metron] Unable to join messages:
java.lang.ClassCastException: Cannot cast java.lang.String to java.lang.Boolean
at java.lang.Class.cast(Class.java:3369) ~[?:1.8.0_60]
at org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:58) ~[stormjar.jar:?]
at org.apache.metron.common.stellar.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:53) ~[stormjar.jar:?]
at org.apache.metron.threatintel.triage.ThreatTriageProcessor.apply(ThreatTriageProcessor.java:58) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:109) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:38) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.JoinBolt.execute(JoinBolt.java:111) [stormjar.jar:?]
at backtype.storm.daemon.executor$fn_5492$tuple_action_fn_5494.invoke(executor.clj:684) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.daemon.executor$fn_5492$fn5505$fn_5556.invoke(executor.clj:813) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
2016-08-24 09:15:15.505 b.s.d.executor [ERROR]
java.lang.ClassCastException: Cannot cast java.lang.String to java.lang.Boolean
at java.lang.Class.cast(Class.java:3369) ~[?:1.8.0_60]
at org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:58) ~[stormjar.jar:?]
at org.apache.metron.common.stellar.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:53) ~[stormjar.jar:?]
at org.apache.metron.threatintel.triage.ThreatTriageProcessor.apply(ThreatTriageProcessor.java:58) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:109) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.ThreatIntelJoinBolt.joinMessages(ThreatIntelJoinBolt.java:38) ~[stormjar.jar:?]
at org.apache.metron.enrichment.bolt.JoinBolt.execute(JoinBolt.java:111) [stormjar.jar:?]
at backtype.storm.daemon.executor$fn_5492$tuple_action_fn_5494.invoke(executor.clj:684) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.daemon.executor$fn_5492$fn5505$fn_5556.invoke(executor.clj:813) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
Attachments
Issue Links
- is duplicated by
-
METRON-554 Require proper error handling when invalid input is fed to Threat triage rules
- Done