Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Snort parser

Labels:
avatar
author-rank adroot16
Contributor

Created ‎06-07-2017 06:38 AM

I tested Snort alert and it's have log info following

[**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3]
06/06-14:54:02.125421 172.16.1.10 -> 172.16.1.20
ICMP TTL:126 TOS:0x0 ID:15052 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1473  ECHO

When I checked storm log and it's show

2017-06-07 09:39:41.083 o.a.s.d.executor [ERROR]
java.lang.IllegalStateException: Unable to parse message: 06/06-14:54:02.125421 172.16.1.10 -> 172.16.1.20

Can you help me?

4,332 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank asubramanian
Super Collaborator

Created ‎06-08-2017 08:50 AM

Hi @Lee Adrian, you need to setup your snort to output CSV alerts and then push those into the snort kafka topic. The parser reconfiguration should not be necessary.

See this link on how to configure snort to output alert_csv.

Can you give this a try and let me know how it goes ?

View solution in original post

3,963 Views
0 Kudos
0
8 REPLIES 8

avatar
author-rank asubramanian
Super Collaborator

Created ‎06-07-2017 09:20 AM

Hi @Lee Adrian, can you check that you have re-configured your snort system to include year in the timestamp? This error could be the reason.

Check the Note section in this link - https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.1.0/bk_administration/content/supported_datasou...

3,963 Views
0 Kudos

avatar
author-rank adroot16
Contributor

Created ‎06-07-2017 09:47 AM

Hi @asubramanian

I re-configured my snort system and It's show alert log.

[**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3]
06/07/17-16:37:15.044404 172.16.1.10 -> 172.16.1.20
ICMP TTL:126 TOS:0x0 ID:14129 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1523  ECHO

And I re-configured snort.json file

{
  "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser",
  "sensorTopic":"snort",
  "parserConfig": {
        "dateFormat" : "MM/dd/yy-HH:mm:ss.SSSSSS",
        "timeZone" : "America/New_York"
  }
}

But it still fails.

3,963 Views
0 Kudos

avatar
author-rank asubramanian
Super Collaborator

Created ‎06-07-2017 09:52 AM

Can you paste the error that you are seeing now? I am assuming you have restarted the snort topology.

3,963 Views
0 Kudos

avatar
author-rank adroot16
Contributor

Created ‎06-07-2017 10:06 AM

You check help me. please.

2017-06-07 17:09:32.589 o.a.m.p.s.BasicSnortParser [ERROR] Unable to parse message: [**] [1:10000001:1] ICMP test detected [**]
java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) [stormjar.jar:?]
        at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) [stormjar.jar:?]
        at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?]
        at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]
2017-06-07 17:09:32.594 o.a.s.d.executor [ERROR]
java.lang.IllegalStateException: Unable to parse message: [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:180) ~[stormjar.jar:?]
        at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) ~[stormjar.jar:?]
        at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?]
        at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]
Caused by: java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) ~[stormjar.jar:?]
        ... 12 more
3,963 Views
0 Kudos

avatar
author-rank adroot16
Contributor

Created ‎06-07-2017 10:25 AM

I think. I miss configure at parserConfig or miss snort pattern.

3,963 Views
0 Kudos

avatar
author-rank adroot16
Contributor

Created ‎06-08-2017 02:04 AM

Hi @asubramanian

Can you susgest help me?

3,963 Views
0 Kudos

avatar
author-rank asubramanian
Super Collaborator

Created ‎06-08-2017 08:50 AM

Hi @Lee Adrian, you need to setup your snort to output CSV alerts and then push those into the snort kafka topic. The parser reconfiguration should not be necessary.

See this link on how to configure snort to output alert_csv.

Can you give this a try and let me know how it goes ?

3,964 Views
0 Kudos
0

avatar
author-rank adroot16
Contributor

Created ‎06-08-2017 11:09 AM

Hi @asubramanian

I re-configured sucessfull. Thanks you.

3,963 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements