question Re: Snort parser in Archives of Support Questions (Read Only) https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200389#M62481 <P>I think. I miss configure at parserConfig or miss snort pattern.</P> Wed, 07 Jun 2017 17:25:47 GMT adroot16 2017-06-07T17:25:47Z Snort parser https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200384#M62476 <P> I tested Snort alert and it's have log info following</P><PRE>[**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] 06/06-14:54:02.125421 172.16.1.10 -&gt; 172.16.1.20 ICMP TTL:126 TOS:0x0 ID:15052 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:1473 ECHO </PRE><P>When I checked storm log and it's show</P><PRE>2017-06-07 09:39:41.083 o.a.s.d.executor [ERROR] java.lang.IllegalStateException: Unable to parse message: 06/06-14:54:02.125421 172.16.1.10 -&gt; 172.16.1.20 </PRE><P>Can you help me?</P> Wed, 07 Jun 2017 13:38:03 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200384#M62476 adroot16 2017-06-07T13:38:03Z Re: Snort parser https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200385#M62477 <P>Hi <A rel="user" href="https://community.cloudera.com/users/16340/adroot16.html" nodeid="16340">@Lee Adrian</A>, can you check that you have re-configured your snort system to include year in the timestamp? This error could be the reason.</P><P>Check the Note section in this link - <A href="https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.1.0/bk_administration/content/supported_datasources.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.1.0/bk_administration/content/supported_datasources.html</A></P> Wed, 07 Jun 2017 16:20:54 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200385#M62477 asubramanian 2017-06-07T16:20:54Z Re: Snort parser https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200386#M62478 <P>Hi <A rel="user" href="https://community.cloudera.com/users/11832/asubramanian.html" nodeid="11832">@asubramanian</A></P><P>I re-configured my snort system and It's show alert log.</P><PRE>[**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] 06/07/17-16:37:15.044404 172.16.1.10 -&gt; 172.16.1.20 ICMP TTL:126 TOS:0x0 ID:14129 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:1523 ECHO </PRE><P>And I re-configured snort.json file</P><PRE>{ "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser", "sensorTopic":"snort", "parserConfig": { "dateFormat" : "MM/dd/yy-HH:mm:ss.SSSSSS", "timeZone" : "America/New_York" } } </PRE><P>But it still fails.</P> Wed, 07 Jun 2017 16:47:00 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200386#M62478 adroot16 2017-06-07T16:47:00Z Re: Snort parser https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200387#M62479 <P>Can you paste the error that you are seeing now? I am assuming you have restarted the snort topology.</P> Wed, 07 Jun 2017 16:52:33 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200387#M62479 asubramanian 2017-06-07T16:52:33Z Re: Snort parser https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200388#M62480 <P>You check help me. please.</P><PRE>2017-06-07 17:09:32.589 o.a.m.p.s.BasicSnortParser [ERROR] Unable to parse message: [**] [1:10000001:1] ICMP test detected [**] java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**] at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) [stormjar.jar:?] at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) [stormjar.jar:?] at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?] at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77] 2017-06-07 17:09:32.594 o.a.s.d.executor [ERROR] java.lang.IllegalStateException: Unable to parse message: [**] [1:10000001:1] ICMP test detected [**] at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:180) ~[stormjar.jar:?] at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) ~[stormjar.jar:?] at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?] at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37] at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77] Caused by: java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**] at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) ~[stormjar.jar:?] ... 12 more </PRE> Wed, 07 Jun 2017 17:06:53 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200388#M62480 adroot16 2017-06-07T17:06:53Z Re: Snort parser https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200389#M62481 <P>I think. I miss configure at parserConfig or miss snort pattern.</P> Wed, 07 Jun 2017 17:25:47 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200389#M62481 adroot16 2017-06-07T17:25:47Z Re: Snort parser https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200390#M62482 <P>Hi <A rel="user" href="https://community.cloudera.com/users/11832/asubramanian.html" nodeid="11832">@asubramanian</A></P><P>Can you susgest help me?</P> Thu, 08 Jun 2017 09:04:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200390#M62482 adroot16 2017-06-08T09:04:05Z Re: Snort parser https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200391#M62483 <P>Hi <A rel="user" href="https://community.cloudera.com/users/16340/adroot16.html" nodeid="16340">@Lee Adrian</A>, you need to setup your snort to output CSV alerts and then push those into the snort kafka topic. The parser reconfiguration should not be necessary.</P><P>See this <A target="_blank" href="http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html#SECTION00366000000000000000">link</A> on how to configure snort to output alert_csv.</P><P>Can you give this a try and let me know how it goes ?</P> Thu, 08 Jun 2017 15:50:20 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200391#M62483 asubramanian 2017-06-08T15:50:20Z Re: Snort parser https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200392#M62484 <P>Hi <A rel="user" href="https://community.cloudera.com/users/11832/asubramanian.html" nodeid="11832">@asubramanian</A></P><P>I re-configured sucessfull. Thanks you.</P> Thu, 08 Jun 2017 18:09:57 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Snort-parser/m-p/200392#M62484 adroot16 2017-06-08T18:09:57Z