METRON-1620: Fixes for forensic clustering use case example

[mmiklavc]

Contributor Comments

https://issues.apache.org/jira/browse/METRON-1620

Get the forensic hashing use case example working with ES 5.6.x.

I tested this in a 10-node Amazon EC2 Metron cluster.

Pull Request Checklist

Thank you for submitting a contribution to Apache Metron.
Please refer to our Development Guidelines for the complete guide to follow for contributions.
Please refer also to our Build Verification Guidelines for complete smoke testing guides.

In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:

For all changes:

• Is there a JIRA ticket associated with this PR? If not one needs to be created at Metron Jira.
• Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
• Has your PR been rebased against the latest commit within the target branch (typically master)?

For code changes:

• Have you included steps to reproduce the behavior or problem that is being changed or addressed?

• Have you included steps or a guide to how the change may be verified and tested manually?

• Have you ensured that the full suite of tests and checks have been executed in the root metron folder via:

  mvn -q clean integration-test install && dev-utilities/build-utils/verify_licenses.sh 
  

• Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?

For documentation related changes:

• Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via site-book/target/site/index.html:

  cd site-book
  mvn site
  

Note:

Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommended that travis-ci is set up for your personal repository such that your branches are built there before submitting a pull request.

[mmiklavc]

Testing

You can run through the full use case, if desired. If you want the TL;DR version to verify the template command, run the command in the README for creating the ES template. Then do the following:

Make sure you have at least 1 other sensor with data, e.g. Bro. In full dev you should be set, otherwise cat data from our unit tests (https://github.com/apache/metron/blob/master/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput) into the bro Kafka topic and make sure the bro topology is running.

e.g.

wget https://github.com/apache/metron/raw/master/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput -O ~/sample-bro.json
cat ~/sample-bro.json | /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list $BROKERLIST --topic bro

Next, check the template was loaded correctly:

curl -XGET $ES_HOST'/_template/cowrie_index?pretty=true'

Then load the following into ES:

curl -XPUT $ES_HOST'/cowrie_index_1/cowrie_doc/1' -H 'Content-Type: application/json' -d'
{
    "eventid" : "cowrie.command.input",
    "adapter:stellaradapter:end:ts" : "1529268179998",
    "threatinteljoinbolt:joiner:ts" : "1529268180010",
    "session" : "4c047bbc016c",
    "threat:triage:rules:0:comment" : "Determine if a host is blacklisted",
    "enrichmentsplitterbolt:splitter:begin:ts" : "1529268179997",
    "enrichmentjoinbolt:joiner:ts" : "1529268180002",
    "threat:triage:rules:0:name" : "Blacklisted Host",
    "src_ip" : "94.51.110.74",
    "source:type" : "cowrie",
    "isError" : 0,
    "original_string" : "{\"src_ip\":\"94.51.110.74\",\"eventid\":\"cowrie.command.input\",\"input\":\"\\/bin\\/busybox XUSRH\",\"system\":\"CowrieTelnetTransport,93,94.51.110.74\",\"isError\":0,\"session\":\"4c047bbc016c\",\"sensor\":\"a927e8b28666\",\"message\":\"CMD: \\/bin\\/busybox XUSRH\",\"timestamp\":\"2017-09-17T04:06:40.419195Z\"}",
    "threatintelsplitterbolt:splitter:end:ts" : "1529268180004",
    "similarity_bin" : "166524",
    "threat:triage:rules:0:score" : 10,
    "timestamp" : 1505621619195,
    "threat:triage:rules:0:reason" : "IP 94.51.110.74 is blacklisted",
    "enrichmentsplitterbolt:splitter:end:ts" : "1529268179997",
    "threat:triage:score" : 10.0,
    "is_alert" : "true",
    "adapter:stellaradapter:begin:ts" : "1529268179998",
    "message" : "CMD: /bin/busybox XUSRH",
    "input" : "/bin/busybox XUSRH",
    "blacklisted" : true,
    "system" : "CowrieTelnetTransport,93,94.51.110.74",
    "threatintelsplitterbolt:splitter:begin:ts" : "1529268180004",
    "guid" : "f4e441d2-74e7-4127-89c4-edcf8227f893",
    "sensor" : "a927e8b28666",
    "tlsh" : "87A002C029850AFE3C890231B18B743C002C10825E5028A6DC8D00C1F213FC6FD31D0C"
}
'

Go to the Alerts UI and enter this in the search:

is_alert:true AND similarity_bin:166524

You should see the alert in the UI.

[justinleet]

Do you think it's worthwhile to add something at the beginning like:

Metron version = x
ES version = y

At least then we'd be letting people know what version things were tested on, as well as at least giving them a path to looking at things like the upgrading.md, learning about schema changes, etc. to adapting an older use case.

[mmiklavc]

@justinleet I think we should really be updating these use cases as we make other updates to the system. One idea I had was to make our code samples testable. Maybe write some integration tests for the use case code where feasible. Tagging a version might at least make this more noticeable in the short term.

[mmiklavc]

@justinleet Updated. Let me know what you think.

[justinleet]

@mmiklavc I definitely agree that it's ideal if we can keep these up to date, but I suspect that even if we tie the functionality in, updates to the docs will slip here and there. I'm honestly not sure what the best solution to that is.

Thanks for the update, +1.

[cestella]

@mmiklavc Can we get this merged?