Support Questions

adroot16 · ‎06-07-2017

I tested Snort alert and it's have log info following

[**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3]
06/06-14:54:02.125421 172.16.1.10 -> 172.16.1.20
ICMP TTL:126 TOS:0x0 ID:15052 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1473  ECHO

When I checked storm log and it's show

2017-06-07 09:39:41.083 o.a.s.d.executor [ERROR]
java.lang.IllegalStateException: Unable to parse message: 06/06-14:54:02.125421 172.16.1.10 -> 172.16.1.20

Can you help me?

asubramanian · ‎06-07-2017

Hi @Lee Adrian, can you check that you have re-configured your snort system to include year in the timestamp? This error could be the reason.

Check the Note section in this link - https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.1.0/bk_administration/content/supported_datasou...

adroot16 · ‎06-07-2017

Hi @asubramanian

I re-configured my snort system and It's show alert log.

[**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3]
06/07/17-16:37:15.044404 172.16.1.10 -> 172.16.1.20
ICMP TTL:126 TOS:0x0 ID:14129 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1523  ECHO

And I re-configured snort.json file

{
  "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser",
  "sensorTopic":"snort",
  "parserConfig": {
        "dateFormat" : "MM/dd/yy-HH:mm:ss.SSSSSS",
        "timeZone" : "America/New_York"
  }
}

But it still fails.

asubramanian · ‎06-07-2017

Can you paste the error that you are seeing now? I am assuming you have restarted the snort topology.

adroot16 · ‎06-07-2017

You check help me. please.

2017-06-07 17:09:32.589 o.a.m.p.s.BasicSnortParser [ERROR] Unable to parse message: [**] [1:10000001:1] ICMP test detected [**]
java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) [stormjar.jar:?]
        at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) [stormjar.jar:?]
        at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?]
        at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]
2017-06-07 17:09:32.594 o.a.s.d.executor [ERROR]
java.lang.IllegalStateException: Unable to parse message: [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:180) ~[stormjar.jar:?]
        at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) ~[stormjar.jar:?]
        at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?]
        at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]
Caused by: java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) ~[stormjar.jar:?]
        ... 12 more

adroot16 · ‎06-07-2017

I think. I miss configure at parserConfig or miss snort pattern.

adroot16 · ‎06-08-2017

Hi @asubramanian

Can you susgest help me?

adroot16 · ‎06-08-2017

Hi @asubramanian

I re-configured sucessfull. Thanks you.

Cloudera Community

Support Questions

Snort parser

This problem has been solved!

This problem has been solved!