Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mapper_parsing_exception, TCP flag parsing problem #214

Closed
dexter-sec opened this issue Sep 1, 2022 · 2 comments
Closed

mapper_parsing_exception, TCP flag parsing problem #214

dexter-sec opened this issue Sep 1, 2022 · 2 comments

Comments

@dexter-sec
Copy link

🐛 Summary

after install and build, everything running good except this error,

logstash_1 | [2022-09-01T03:04:53,615][WARN ][logstash.outputs.opensearch] Could not index event to OpenSearch. {:status=>400, :action=>["index", {:_id=>"220901-ZO7C1nd7-47Z7BUKiOEaOA", :_index=>"arkime_sessions3-220901", :routing=>nil}, {"network"=>{"packets"=>62, "type"=>"ipv4", "iana_number"=>["6"], "bytes"=>2804, "vlan"=>{"id"=>["1005"]}, "transport"=>["tcp"], "community_id"=>"1:ZfAjPAlzM8PYZFb+9nQ9dynDUUs=", "direction"=>"outbound"}, "protocol"=>["tcp"], "ipProtocol"=>6, "host"=>{"name"=>"IDS01"}, "tcpflags"=>{"rst"=>1000000000000000000000000, "syn-ack"=>1, "syn"=>1, "ack"=>1}, "destination"=>{"packets"=>52, "as"=>{"full"=>"AS42473 ANEXIA Internetdienstleistungs GmbH"}, "bytes"=>2120, "geo"=>{"location"=>{"lat"=>1.2929, "lon"=>103.8547}, "timezone"=>"Asia/Singapore", "country_code3"=>"SG", "country_name"=>"Singapore", "ip"=>"188.172.203.42", "continent_code"=>"AS", "postal_code"=>"18", "country_iso_code"=>"SG", "longitude"=>103.8547, "city_name"=>"Singapore", "country_code2"=>"SG", "latitude"=>1.2929}, "ip"=>"188.172.203.42", "mac"=>["00:00:5e:00:01:05"], "oui"=>"ICANN, IANA Department", "port"=>5938}, "srcOui"=>["Qbic Technology Co., Ltd"], "firstPacket"=>1662001268934, "dstOui"=>["ICANN, IANA Department"],"server"=>{"bytes"=>0}, "@timestamp"=>2022-09-01T03:01:08.934Z, "timestamp"=>1662001268934, "client"=>{"bytes"=>37}, "rootId"=>"CM00QEG59T273hhWa", "log"=>{"file"=>{"path"=>"conn.log"}}, "related"=>{"ip"=>["10.0.5.11", "188.172.203.42"], "mac"=>["c8:f5:d6:20:06:06", "00:00:5e:00:01:05"], "oui"=>["Qbic Technology Co., Ltd", "ICANN, IANA Department"]}, "totDataBytes"=>37, "event"=>{"risk_score"=>70.0, "severity"=>70, "category"=>["network"], "start"=>"1662001268934", "provider"=>"zeek", "risk_score_norm"=>70.0, "end"=>"1662001269015", "dataset"=>"conn", "ingested"=>2022-09-01T03:04:53.417Z, "severity_tags"=>["Connection aborted (responder)", "Outbound traffic"], "hash"=>"ZO7C1nd7-47Z7BUKiOEaOA", "id"=>["CM00QEG59T273hhWa"], "kind"=>"event", "duration"=>80664000}, "length"=>81, "input"=>{}, "agent"=>{"name"=>"IDS01", "hostname"=>"filebeat"}, "@Version"=>"1", "node"=>"IDS01", "zeek"=>{"uid"=>"CM00QEG59T273hhWa", "conn"=>{"history"=>"ShADTrrrrrrrrrrrrrrrrrrrrrrrrr", "resp_pkts"=>"52", "local_resp"=>"F", "vlan"=>"1005", "conn_state"=>"RSTR", "orig_bytes"=>"37", "orig_ip_bytes"=>"684", "resp_ip_bytes"=>"2120", "orig_pkts"=>"10", "duration"=>"0.080664", "missed_bytes"=>"0", "local_orig"=>"T", "resp_bytes"=>"0", "conn_state_description"=>"Established, responder aborted"}, "ts"=>"2022-09-01T03:01:08.934Z"}, "tags"=>["internal_source", "external_destination"], "lastPacket"=>1662001269015, "ecs"=>{"version"=>"1.6.0"}, "source"=>{"packets"=>10, "bytes"=>684, "ip"=>"10.0.5.11", "mac"=>["c8:f5:d6:20:06:06"], "oui"=>"Qbic Technology Co., Ltd", "port"=>43366}}], :response=>{"index"=>{"_index"=>"arkime_sessions3-220901", "_id"=>"220901-ZO7C1nd7-47Z7BUKiOEaOA", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [tcpflags.rst] of type [long] in document with id '220901-ZO7C1nd7-47Z7BUKiOEaOA'. Preview of field's value: '1000000000000000000000000'", "caused_by"=>{"type"=>"input_coercion_exception", "reason"=>"Numeric value (1000000000000000000000000) out of range of long (-9223372036854775808 - 9223372036854775807)\n at [Source: (byte[])"{"network":{"packets":62,"type":"ipv4","iana_number":["6"],"bytes":2804,"vlan":{"id":["1005"]},"transport":["tcp"],"community_id":"1:ZfAjPAlzM8PYZFb+9nQ9dynDUUs=","direction":"outbound"},"protocol":["tcp"],"ipProtocol":6,"host":{"name":"IDS01"},"tcpflags":{"rst":1000000000000000000000000,"syn-ack":1,"syn":1,"ack":1},"destination":{"packets":52,"as":{"full":"AS42473 ANEXIA Internetdienstleistungs GmbH"},"bytes":2120,"geo":{"location":{"lat":1.2929,"lon":103.8547},"timezone":"Asia/Singapore","coun"[truncated 1859 bytes]; line: 1, column: 289]"}}}}}

i have no idea, why [tcpflags.rst] set and parse '1000000000000000000000000'
how do i change [tcpflags.rst] type and any idea handle this error? plz help me :(
@mmguero
Copy link
Collaborator

mmguero commented Sep 6, 2022

Interesting... the conn.log history value is "history"=>"ShADTrrrrrrrrrrrrrrrrrrrrrrrrr" which causes the calculation for the tcpflags value to overflow. I will cap it, expect a commit for the next release.

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Sep 6, 2022
@mmguero
fix cisagov#214 by capping counts for tcp flags in conn.log's history
8aa0f59
@mmguero
Copy link
Collaborator

mmguero commented Sep 6, 2022

Closed as fixed in upcoming v6.3.0 release

@mmguero mmguero closed this as completed Sep 6, 2022
This was referenced Sep 7, 2022
Merged
Merged
mmguero added a commit to idaholab/Malcolm that referenced this issue Sep 7, 2022
@mmguero
Merge pull request #118 from idaholab/v6.3.0_merge_idaholab
cc83826 
* New Features
    * Support remote OpenSearch instance/cluster as alternative to local containerized instance (#110)
    * Documentation and convenience scripts for configuring ingestion of third-party logs, and basic parsing/normalizing of Fluent-Bit's Windows event logs
    * S7comm Plus support and replaced Amazon S7comm parser with icsnpp-s7comm (#99)

* Version Bumps
    * OpenSearch and OpenSearch Dashboards to v2.2.1
    * Zeek to v5.0.1
    * Spicy to v1.5.1
    * spicy-plugin to v1.3.17
    * YARA to v4.2.3
    * Capa to v4.0.1

* Improvements
    * Major improvements to OPC UA Binary parser and supporting dashboards
    * Ensure that all containers are provided the same information about trusted CA certificates
    * changed list of "sensitive countries" to match U.S. Department of Energy Sensitive Country List
    * Increased maximum fields from 3,000 to 5,000
    * Standardized configuration and authentication for primary and secondary remote OpenSearch instances, and make sure that index templates are created on secondary remote OpenSearch instances
    * Expand and fix normalization of [network.direction](https://www.elastic.co/guide/en/ecs/current/ecs-network.html#field-network-direction) in lieu of using tags
    * Various tweaks and improvements to the `install.py` script for enabling/disabling some features

* Bugs Fixed
    * fields could be missing in Arkime due to a large number of concurrent requests (#115)
    * mapper_parsing_exception, TCP flag parsing problem (cisagov#214)
mmguero added a commit that referenced this issue Sep 7, 2022
@mmguero
Merge pull request #218 from cisagov/v6.3.0_merge_cisagov
a749daf 
* New Features
    * Support remote OpenSearch instance/cluster as alternative to local containerized instance (idaholab#110)
    * Documentation and convenience scripts for configuring ingestion of third-party logs, and basic parsing/normalizing of Fluent-Bit's Windows event logs
    * S7comm Plus support and replaced Amazon S7comm parser with icsnpp-s7comm (idaholab#99)

* Version Bumps
    * OpenSearch and OpenSearch Dashboards to v2.2.1
    * Zeek to v5.0.1
    * Spicy to v1.5.1
    * spicy-plugin to v1.3.17
    * YARA to v4.2.3
    * Capa to v4.0.1

* Improvements
    * Major improvements to OPC UA Binary parser and supporting dashboards
    * Ensure that all containers are provided the same information about trusted CA certificates
    * changed list of "sensitive countries" to match U.S. Department of Energy Sensitive Country List
    * Increased maximum fields from 3,000 to 5,000
    * Standardized configuration and authentication for primary and secondary remote OpenSearch instances, and make sure that index templates are created on secondary remote OpenSearch instances
    * Expand and fix normalization of [network.direction](https://www.elastic.co/guide/en/ecs/current/ecs-network.html#field-network-direction) in lieu of using tags
    * Various tweaks and improvements to the `install.py` script for enabling/disabling some features

* Bugs Fixed
    * fields could be missing in Arkime due to a large number of concurrent requests (idaholab#115)
    * mapper_parsing_exception, TCP flag parsing problem (#214)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmguero @dexter-sec