Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Snort parser

Labels:
avatar
author-rank adroot16
Contributor

Created ‎06-07-2017 06:38 AM

I tested Snort alert and it's have log info following

[**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3]
06/06-14:54:02.125421 172.16.1.10 -> 172.16.1.20
ICMP TTL:126 TOS:0x0 ID:15052 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1473  ECHO

When I checked storm log and it's show

2017-06-07 09:39:41.083 o.a.s.d.executor [ERROR]
java.lang.IllegalStateException: Unable to parse message: 06/06-14:54:02.125421 172.16.1.10 -> 172.16.1.20

Can you help me?

3,779 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank asubramanian
Super Collaborator

Created ‎06-08-2017 08:50 AM

Hi @Lee Adrian, you need to setup your snort to output CSV alerts and then push those into the snort kafka topic. The parser reconfiguration should not be necessary.

See this link on how to configure snort to output alert_csv.

Can you give this a try and let me know how it goes ?

View solution in original post

3,410 Views
0 Kudos
8 REPLIES 8

avatar
author-rank asubramanian
Super Collaborator

Created ‎06-07-2017 09:20 AM

Hi @Lee Adrian, can you check that you have re-configured your snort system to include year in the timestamp? This error could be the reason.

Check the Note section in this link - https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.1.0/bk_administration/content/supported_datasou...

3,410 Views
0 Kudos

avatar
author-rank adroot16
Contributor

Created ‎06-07-2017 09:47 AM

Hi @asubramanian

I re-configured my snort system and It's show alert log.

[**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3]
06/07/17-16:37:15.044404 172.16.1.10 -> 172.16.1.20
ICMP TTL:126 TOS:0x0 ID:14129 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1523  ECHO

And I re-configured snort.json file

{
  "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser",
  "sensorTopic":"snort",
  "parserConfig": {
        "dateFormat" : "MM/dd/yy-HH:mm:ss.SSSSSS",
        "timeZone" : "America/New_York"
  }
}

But it still fails.

3,410 Views
0 Kudos

avatar
author-rank asubramanian
Super Collaborator

Created ‎06-07-2017 09:52 AM

Can you paste the error that you are seeing now? I am assuming you have restarted the snort topology.

3,410 Views
0 Kudos

avatar
author-rank adroot16
Contributor

Created ‎06-07-2017 10:06 AM

You check help me. please.

2017-06-07 17:09:32.589 o.a.m.p.s.BasicSnortParser [ERROR] Unable to parse message: [**] [1:10000001:1] ICMP test detected [**]
java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) [stormjar.jar:?]
        at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) [stormjar.jar:?]
        at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?]
        at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]
2017-06-07 17:09:32.594 o.a.s.d.executor [ERROR]
java.lang.IllegalStateException: Unable to parse message: [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:180) ~[stormjar.jar:?]
        at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) ~[stormjar.jar:?]
        at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?]
        at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]
Caused by: java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) ~[stormjar.jar:?]
        ... 12 more
3,410 Views
0 Kudos

avatar
author-rank adroot16
Contributor

Created ‎06-07-2017 10:25 AM

I think. I miss configure at parserConfig or miss snort pattern.

3,410 Views
0 Kudos

avatar
author-rank adroot16
Contributor

Created ‎06-08-2017 02:04 AM

Hi @asubramanian

Can you susgest help me?

3,410 Views
0 Kudos

avatar
author-rank asubramanian
Super Collaborator

Created ‎06-08-2017 08:50 AM

Hi @Lee Adrian, you need to setup your snort to output CSV alerts and then push those into the snort kafka topic. The parser reconfiguration should not be necessary.

See this link on how to configure snort to output alert_csv.

Can you give this a try and let me know how it goes ?

3,411 Views
0 Kudos

avatar
author-rank adroot16
Contributor

Created ‎06-08-2017 11:09 AM

Hi @asubramanian

I re-configured sucessfull. Thanks you.

3,410 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements