Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Snort parser

Solved Go to solution

Snort parser

New Contributor

I tested Snort alert and it's have log info following

[**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3]
06/06-14:54:02.125421 172.16.1.10 -> 172.16.1.20
ICMP TTL:126 TOS:0x0 ID:15052 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1473  ECHO

When I checked storm log and it's show

2017-06-07 09:39:41.083 o.a.s.d.executor [ERROR]
java.lang.IllegalStateException: Unable to parse message: 06/06-14:54:02.125421 172.16.1.10 -> 172.16.1.20

Can you help me?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Snort parser

Super Collaborator

Hi @Lee Adrian, you need to setup your snort to output CSV alerts and then push those into the snort kafka topic. The parser reconfiguration should not be necessary.

See this link on how to configure snort to output alert_csv.

Can you give this a try and let me know how it goes ?

8 REPLIES 8

Re: Snort parser

Super Collaborator

Hi @Lee Adrian, can you check that you have re-configured your snort system to include year in the timestamp? This error could be the reason.

Check the Note section in this link - https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.1.0/bk_administration/content/supported_datasou...

Re: Snort parser

New Contributor

Hi @asubramanian

I re-configured my snort system and It's show alert log.

[**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3]
06/07/17-16:37:15.044404 172.16.1.10 -> 172.16.1.20
ICMP TTL:126 TOS:0x0 ID:14129 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1523  ECHO

And I re-configured snort.json file

{
  "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser",
  "sensorTopic":"snort",
  "parserConfig": {
        "dateFormat" : "MM/dd/yy-HH:mm:ss.SSSSSS",
        "timeZone" : "America/New_York"
  }
}

But it still fails.

Re: Snort parser

Super Collaborator

Can you paste the error that you are seeing now? I am assuming you have restarted the snort topology.

Re: Snort parser

New Contributor

You check help me. please.

2017-06-07 17:09:32.589 o.a.m.p.s.BasicSnortParser [ERROR] Unable to parse message: [**] [1:10000001:1] ICMP test detected [**]
java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) [stormjar.jar:?]
        at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) [stormjar.jar:?]
        at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?]
        at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]
2017-06-07 17:09:32.594 o.a.s.d.executor [ERROR]
java.lang.IllegalStateException: Unable to parse message: [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:180) ~[stormjar.jar:?]
        at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45) ~[stormjar.jar:?]
        at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:123) [stormjar.jar:?]
        at org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) [storm-core-1.0.1.2.5.3.0-37.jar:1.0.1.2.5.3.0-37]
        at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]
Caused by: java.lang.IllegalArgumentException: Unexpected number of fields, expected: 27 in [**] [1:10000001:1] ICMP test detected [**]
        at org.apache.metron.parsers.snort.BasicSnortParser.parse(BasicSnortParser.java:148) ~[stormjar.jar:?]
        ... 12 more


Re: Snort parser

New Contributor

I think. I miss configure at parserConfig or miss snort pattern.

Re: Snort parser

New Contributor

Hi @asubramanian

Can you susgest help me?

Re: Snort parser

Super Collaborator

Hi @Lee Adrian, you need to setup your snort to output CSV alerts and then push those into the snort kafka topic. The parser reconfiguration should not be necessary.

See this link on how to configure snort to output alert_csv.

Can you give this a try and let me know how it goes ?

Re: Snort parser

New Contributor

Hi @asubramanian

I re-configured sucessfull. Thanks you.

Don't have an account?
Coming from Hortonworks? Activate your account here