Search in sources :

Example 26 with SensorEnrichmentConfig

use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.

the class ThreatIntelJoinBoltTest method test.

public void test(String threatTriageConfig, boolean badConfig) throws IOException {
    ThreatIntelJoinBolt threatIntelJoinBolt = new ThreatIntelJoinBolt("zookeeperUrl");
    threatIntelJoinBolt.setCuratorFramework(client);
    threatIntelJoinBolt.setZKCache(cache);
    SensorEnrichmentConfig enrichmentConfig = JSONUtils.INSTANCE.load(new FileInputStream(sampleSensorEnrichmentConfigPath), SensorEnrichmentConfig.class);
    boolean withThreatTriage = threatTriageConfig != null;
    if (withThreatTriage) {
        try {
            enrichmentConfig.getThreatIntel().setTriageConfig(JSONUtils.INSTANCE.load(threatTriageConfig, ThreatTriageConfig.class));
            if (badConfig) {
                Assert.fail(threatTriageConfig + "\nThis should not parse!");
            }
        } catch (JsonMappingException pe) {
            if (!badConfig) {
                throw pe;
            }
        }
    }
    threatIntelJoinBolt.getConfigurations().updateSensorEnrichmentConfig(sensorType, enrichmentConfig);
    HashMap<String, Object> globalConfig = new HashMap<>();
    String baseDir = UnitTestHelper.findDir("GeoLite");
    File geoHdfsFile = new File(new File(baseDir), "GeoIP2-City-Test.mmdb.gz");
    globalConfig.put(GeoLiteDatabase.GEO_HDFS_FILE, geoHdfsFile.getAbsolutePath());
    threatIntelJoinBolt.getConfigurations().updateGlobalConfig(globalConfig);
    threatIntelJoinBolt.withMaxCacheSize(100);
    threatIntelJoinBolt.withMaxTimeRetain(10000);
    threatIntelJoinBolt.prepare(new HashMap<>(), topologyContext, outputCollector);
    Map<String, Object> fieldMap = threatIntelJoinBolt.getFieldMap("incorrectSourceType");
    Assert.assertNull(fieldMap);
    fieldMap = threatIntelJoinBolt.getFieldMap(sensorType);
    Assert.assertTrue(fieldMap.containsKey("hbaseThreatIntel"));
    MessageGetStrategy messageGetStrategy = mock(MessageGetStrategy.class);
    Tuple messageTuple = mock(Tuple.class);
    when(messageGetStrategy.get(messageTuple)).thenReturn(message);
    Map<String, Tuple> streamMessageMap = new HashMap<>();
    streamMessageMap.put("message", messageTuple);
    JSONObject joinedMessage = threatIntelJoinBolt.joinMessages(streamMessageMap, messageGetStrategy);
    assertFalse(joinedMessage.containsKey("is_alert"));
    when(messageGetStrategy.get(messageTuple)).thenReturn(messageWithTiming);
    joinedMessage = threatIntelJoinBolt.joinMessages(streamMessageMap, messageGetStrategy);
    assertFalse(joinedMessage.containsKey("is_alert"));
    when(messageGetStrategy.get(messageTuple)).thenReturn(alertMessage);
    joinedMessage = threatIntelJoinBolt.joinMessages(streamMessageMap, messageGetStrategy);
    assertTrue(joinedMessage.containsKey("is_alert") && "true".equals(joinedMessage.get("is_alert")));
    if (withThreatTriage && !badConfig) {
        assertTrue(joinedMessage.containsKey("threat.triage.score"));
        Double score = (Double) joinedMessage.get("threat.triage.score");
        assertTrue(Math.abs(10d - score) < 1e-10);
    } else {
        assertFalse(joinedMessage.containsKey("threat.triage.score"));
    }
}
Also used : ThreatTriageConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig) HashMap(java.util.HashMap) MessageGetStrategy(org.apache.metron.common.message.MessageGetStrategy) FileInputStream(java.io.FileInputStream) JSONObject(org.json.simple.JSONObject) JsonMappingException(com.fasterxml.jackson.databind.JsonMappingException) JSONObject(org.json.simple.JSONObject) File(java.io.File) SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig) Tuple(org.apache.storm.tuple.Tuple)

Example 27 with SensorEnrichmentConfig

use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.

the class ParallelEnricherTest method testBadConfigWrongEnrichmentType.

@Test
public void testBadConfigWrongEnrichmentType() throws Exception {
    SensorEnrichmentConfig config = JSONUtils.INSTANCE.load(badConfigWrongEnrichmentType, SensorEnrichmentConfig.class);
    config.getConfiguration().putIfAbsent("stellarContext", stellarContext);
    JSONObject message = new JSONObject() {

        {
            put(Constants.SENSOR_TYPE, "test");
        }
    };
    try {
        enricher.apply(message, EnrichmentStrategies.ENRICHMENT, config, null);
        Assert.fail("This is an invalid config, we should have failed.");
    } catch (IllegalStateException ise) {
        Assert.assertEquals(ise.getMessage(), "Unable to find an adapter for hbaseThreatIntel, possible adapters are: " + Joiner.on(",").join(enrichmentsByType.keySet()));
    }
}
Also used : JSONObject(org.json.simple.JSONObject) SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig) Test(org.junit.Test)

Example 28 with SensorEnrichmentConfig

use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.

the class ThreatTriageFunctions method getSensorEnrichmentConfig.

/**
 * Retrieves the sensor enrichment configuration from the function arguments.  The manner
 * of retrieving the configuration can differ based on what the user passes in.
 * @param args The function arguments.
 * @param position The position from which the configuration will be extracted.
 * @return The sensor enrichment configuration.
 */
private static SensorEnrichmentConfig getSensorEnrichmentConfig(List<Object> args, int position) {
    Object arg0 = Util.getArg(position, Object.class, args);
    SensorEnrichmentConfig config = new SensorEnrichmentConfig();
    if (arg0 instanceof String) {
        // deserialize the configuration from json
        String json = Util.getArg(0, String.class, args);
        if (json != null) {
            config = (SensorEnrichmentConfig) ENRICHMENT.deserialize(json);
        }
    } else if (arg0 instanceof ThreatTriageProcessor) {
        // extract the configuration from the engine
        ThreatTriageProcessor engine = Util.getArg(0, ThreatTriageProcessor.class, args);
        config = engine.getSensorConfig();
    } else {
        // unexpected type
        throw new IllegalArgumentException(String.format("Unexpected type: got '%s'", ClassUtils.getShortClassName(arg0, "null")));
    }
    return config;
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) JSONObject(org.json.simple.JSONObject) SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)

Example 29 with SensorEnrichmentConfig

use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.

the class ThreatTriageFunctionsTest method testSetAggregationWithEngine.

@Test
public void testSetAggregationWithEngine() {
    // init the engine
    ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
    Map<String, Object> vars = new HashMap<>();
    vars.put("engine", engine);
    // set the aggregator
    String newConfig = (String) run("THREAT_TRIAGE_SET_AGGREGATOR(engine, 'MIN')", vars);
    // validate the return configuration
    SensorEnrichmentConfig sensorConfig = (SensorEnrichmentConfig) ENRICHMENT.deserialize(newConfig);
    Assert.assertEquals("MIN", sensorConfig.getThreatIntel().getTriageConfig().getAggregator().toString());
    // validate that the engine was updated
    Assert.assertEquals("MIN", engine.getSensorConfig().getThreatIntel().getTriageConfig().getAggregator().toString());
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) HashMap(java.util.HashMap) SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig) Test(org.junit.Test)

Example 30 with SensorEnrichmentConfig

use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.

the class ThreatTriageFunctionsTest method testSetAggregation.

@Test
public void testSetAggregation() {
    String newConfig = (String) run("THREAT_TRIAGE_SET_AGGREGATOR(config, 'MIN' )", toMap("config", configStr));
    SensorEnrichmentConfig sensorConfig = (SensorEnrichmentConfig) ENRICHMENT.deserialize(newConfig);
    Assert.assertEquals("MIN", sensorConfig.getThreatIntel().getTriageConfig().getAggregator().toString());
}
Also used : SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig) Test(org.junit.Test)

Aggregations

SensorEnrichmentConfig (org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)30 Test (org.junit.Test)22 JSONObject (org.json.simple.JSONObject)15 HashMap (java.util.HashMap)11 CacheKey (org.apache.metron.enrichment.bolt.CacheKey)6 File (java.io.File)4 MetronError (org.apache.metron.common.error.MetronError)3 FileInputStream (java.io.FileInputStream)2 HashSet (java.util.HashSet)2 Map (java.util.Map)2 SetDataBuilder (org.apache.curator.framework.api.SetDataBuilder)2 EnrichmentConfigurations (org.apache.metron.common.configuration.EnrichmentConfigurations)2 SensorEnrichmentUpdateConfig (org.apache.metron.common.configuration.enrichment.SensorEnrichmentUpdateConfig)2 ThreatTriageProcessor (org.apache.metron.threatintel.triage.ThreatTriageProcessor)2 Values (org.apache.storm.tuple.Values)2 JsonMappingException (com.fasterxml.jackson.databind.JsonMappingException)1 BufferedReader (java.io.BufferedReader)1 FileReader (java.io.FileReader)1 IOException (java.io.IOException)1 EnrichmentConfig (org.apache.metron.common.configuration.enrichment.EnrichmentConfig)1