Member since
08-23-2017
15
Posts
2
Kudos Received
0
Solutions
02-07-2019
12:51 PM
1 Kudo
check all your sensor configs....the top few lines are below. Remove the invalidwriterclassname and see if that solves the problem "parserClassName": "org.apache.metron.parsers.bro.BasicBroParser",
"filterClassName": null,
"sensorTopic": "bro",
"writerClassName": null,
"errorWriterClassName": null,
"invalidWriterClassName": null,
... View more
03-16-2018
12:22 PM
how exactly are you starting bro? I was doing bro -i eth0 & . and nothing got posted to kafka. I changed it to bro -i eth0 /usr/local/bro/share/bro/site/local.bro & . and the messages started appearing in kafka
... View more
12-18-2017
04:14 AM
I tried changing the is_alert field in the template to boolean and deleted and recreated the index. But no luck. I already have alert as a nested field in my template
... View more
12-14-2017
10:22 AM
{"squid_index_2017.12.14.09":{"mappings":{"squid_doc":{"_timestamp":{"enabled":true},"properties":{"action":{"type":"string","index":"not_analyzed"},"adapter:simplehbaseadapter:begin:ts":{"type":"string"},"adapter:simplehbaseadapter:end:ts":{"type":"string"},"adapter:threatinteladapter:begin:ts":{"type":"string"},"adapter:threatinteladapter:end:ts":{"type":"string"},"alert":{"type":"nested"},"bytes":{"type":"integer"},"code":{"type":"string","index":"not_analyzed"},"domain_without_subdomains":{"type":"string","index":"not_analyzed"},"elapsed":{"type":"integer"},"enrichmentjoinbolt:joiner:ts":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:domain":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:domain_created_timestamp":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:home_country":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:owner":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:registrar":{"type":"string"},"enrichmentsplitterbolt:splitter:begin:ts":{"type":"string"},"enrichmentsplitterbolt:splitter:end:ts":{"type":"string"},"full_hostname":{"type":"string","index":"not_analyzed"},"guid":{"type":"string"},"ip_dst_addr":{"type":"string","index":"not_analyzed"},"ip_src_addr":{"type":"string"},"is_alert":{"type":"string"},"method":{"type":"string","index":"not_analyzed"},"original_string":{"type":"string"},"source:type":{"type":"string","index":"not_analyzed"},"threat:triage:rules:0:comment":{"type":"string"},"threat:triage:rules:0:name":{"type":"string"},"threat:triage:rules:0:reason":{"type":"string"},"threat:triage:rules:0:score":{"type":"long"},"threat:triage:rules:1:comment":{"type":"string"},"threat:triage:rules:1:name":{"type":"string"},"threat:triage:rules:1:reason":{"type":"string"},"threat:triage:rules:1:score":{"type":"long"},"threat:triage:score":{"type":"double"},"threatinteljoinbolt:joiner:ts":{"type":"string"},"threatintels:hbaseThreatIntel:domain_without_subdomains:zeusList":{"type":"string"},"threatintelsplitterbolt:splitter:begin:ts":{"type":"string"},"threatintelsplitterbolt:splitter:end:ts":{"type":"string"},"timestamp":{"type":"date","format":"epoch_millis"},"url":{"type":"string"}}}}}}
... View more
12-14-2017
10:18 AM
properties action type "string" index "not_analyzed" adapter:geoadapter:begin:ts type "string" adapter:geoadapter:end:ts type "string" adapter:stellaradapter:begin:ts type "string" adapter:stellaradapter:end:ts type "string" bytes type "integer" code type "string" index "not_analyzed" domain_without_subdomains type "string" index "not_analyzed" elapsed type "integer" enrichmentjoinbolt:joiner:ts type "string" enrichments:geo:ip_dst_addr:city type "string" enrichments:geo:ip_dst_addr:country type "string" enrichments:geo:ip_dst_addr:dmaCode type "string" enrichments:geo:ip_dst_addr:latitude type "string" enrichments:geo:ip_dst_addr:locID type "string" enrichments:geo:ip_dst_addr:location_point type "string" enrichments:geo:ip_dst_addr:longitude type "string" enrichments:geo:ip_dst_addr:postalCode type "string" enrichmentsplitterbolt:splitter:begin:ts type "string" enrichmentsplitterbolt:splitter:end:ts type "string" extra type "string" full_hostname type "string" index "not_analyzed" guid type "string" ip_dst_addr type "ip" ip_dst_port type "integer" ip_src_addr type "ip" ip_src_port type "integer" is_malicious type "string" method type "string" index "not_analyzed" original_string type "string" source:type type "string" index "not_analyzed" threatinteljoinbolt:joiner:ts type "string" threatintelsplitterbolt:splitter:begin:ts type "string" threatintelsplitterbolt:splitter:end:ts type "string" timestamp type "date" format "epoch_millis" url type "string"
... View more
12-14-2017
02:53 AM
Nothing at all in the alerts UI. I see 5 alerts in kibanan and 12 non alert events. But alerts UI is empty. I am running 1.3.1.0-37 installed through the ambari mpack
... View more
12-14-2017
12:28 AM
The squid telemetry does have is_alert true.that is the first thing I checked. I have done threat intel enrichment and is_alert is set to true based on the threat intel
... View more
12-13-2017
10:00 AM
I have ingested squid telemtery into metron and can see alerts in the kibana dashboard (I have injested threat intel and setup risk scoring). However the metron alerts UI is empty. Do I need additional configuration for these alerts to show up in the alerts UI?
... View more
- Tags:
- CyberSecurity
- Metron
Labels:
- Labels:
-
Apache Metron
11-29-2017
04:48 AM
this works. Thanks a lot. I have spent hours trying to figure out why the profile is in hbase but not showing up in stellar.
... View more
11-28-2017
01:34 PM
I created a squid telemetry following https://cwiki.apache.org/confluence/display/METRON/Profiling+Your+Streams I created 2 profiles { "profiles": [ { "profile": "squid-miss", "foreach": "ip_src_addr", "onlyif": "source.type == 'squid' and action == 'TCP_MISS'", "update": { "m": "STATS_ADD(m, 1)" }, "result": "m" }, { "profile": "url-length", "foreach": "ip_src_addr", "onlyif": "source.type == 'squid'", "update": { "m": "STATS_ADD(m, LENGTH(url))" }, "result": "m" } ] } I can see the profile values when I scan hbase. However when I run p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff}
span.s1 {font-variant-ligatures: no-common-ligatures} PROFILE_GET("url-length", "127.0.0.1", PROFILE_FIXED(5,"HOURS")) I get an empty result. This is tru for both the profiles and all time windows. There is no other error. How can I get profile values using stellar?
... View more
- Tags:
- CyberSecurity
- Metron
Labels:
- Labels:
-
Apache Metron
10-09-2017
05:05 AM
1 Kudo
to get around this error go to /etc/yum.repos.d and mv the file sandbox.repo out of this folder into some other folder and then do the yum install
... View more
10-03-2017
04:56 AM
try mv /etc/yum.repos.d/sandbox.repo /tmp do your yum install and move the sandbox.repo back to /etc/yum.repos.d
... View more