[jira] [Commented] (METRON-93) Generalize the HBase threat intel infrastructure to support enrichments

Mon, 04 Apr 2016 06:20:05 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-93?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15224098#comment-15224098
 ] 

ASF GitHub Bot commented on METRON-93:
--------------------------------------

Github user merrimanr commented on a diff in the pull request:

    https://github.com/apache/incubator-metron/pull/66#discussion_r58373473
  
    --- Diff: 
metron-streaming/Metron-Common/src/main/java/org/apache/metron/enrichment/EnrichmentConfig.java
 ---
    @@ -0,0 +1,203 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.metron.enrichment;
    +
    +import com.google.common.base.Joiner;
    +import org.apache.curator.framework.CuratorFramework;
    +import org.apache.metron.Constants;
    +import org.apache.metron.domain.SourceConfig;
    +import org.apache.metron.domain.SourceConfigUtils;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import java.io.IOException;
    +import java.util.*;
    +
    +public class EnrichmentConfig {
    +  public static enum Type {
    +     THREAT_INTEL
    +    ,ENRICHMENT
    +  }
    +
    +  protected static final Logger _LOG = 
LoggerFactory.getLogger(EnrichmentConfig.class);
    +  public static class FieldList {
    +    Type type;
    +    Map<String, List<String>> fieldToEnrichmentTypes;
    +
    +    public Type getType() {
    +      return type;
    +    }
    +
    +    public void setType(Type type) {
    +      this.type = type;
    +    }
    +
    +    public Map<String, List<String>> getFieldToEnrichmentTypes() {
    +      return fieldToEnrichmentTypes;
    +    }
    +
    +    public void setFieldToEnrichmentTypes(Map<String, List<String>> 
fieldToEnrichmentTypes) {
    +      this.fieldToEnrichmentTypes = fieldToEnrichmentTypes;
    +    }
    +  }
    +  public String zkQuorum;
    +  public Map<String, FieldList> sensorToFieldList;
    +
    +  public String getZkQuorum() {
    +    return zkQuorum;
    +  }
    +
    +  public void setZkQuorum(String zkQuorum) {
    +    this.zkQuorum = zkQuorum;
    +  }
    +
    +  public Map<String, FieldList> getSensorToFieldList() {
    +    return sensorToFieldList;
    +  }
    +
    +  public void setSensorToFieldList(Map<String, FieldList> 
sensorToFieldList) {
    +    this.sensorToFieldList = sensorToFieldList;
    +  }
    +
    +  public void updateSensorConfigs( ) throws Exception {
    +    CuratorFramework client = SourceConfigUtils.getClient(getZkQuorum());
    +    try {
    +      client.start();
    +      updateSensorConfigs(new ZKSourceConfigHandler(client), 
sensorToFieldList);
    +    }
    +    finally {
    +      client.close();
    +    }
    +  }
    +
    +  public static interface SourceConfigHandler {
    +    SourceConfig readConfig(String sensor) throws Exception;
    +    void persistConfig(String sensor, SourceConfig config) throws 
Exception;
    +  }
    +
    +  public static class ZKSourceConfigHandler implements SourceConfigHandler 
{
    +    CuratorFramework client;
    +    public ZKSourceConfigHandler(CuratorFramework client) {
    +      this.client = client;
    +    }
    +    @Override
    +    public SourceConfig readConfig(String sensor) throws Exception {
    +      return SourceConfigUtils.readConfigFromZookeeper(client, sensor);
    +    }
    +
    +    @Override
    +    public void persistConfig(String sensor, SourceConfig config) throws 
Exception {
    +      SourceConfigUtils.writeToZookeeper(client, sensor, 
config.toJSON().getBytes());
    +    }
    +  }
    +
    +  public static void updateSensorConfigs( SourceConfigHandler scHandler
    +                                        , Map<String, FieldList> 
sensorToFieldList
    +                                        ) throws Exception
    +  {
    +    Map<String, SourceConfig> sourceConfigsChanged = new HashMap<>();
    +    for (Map.Entry<String, FieldList> kv : sensorToFieldList.entrySet()) {
    +      SourceConfig config = sourceConfigsChanged.get(kv.getKey());
    +      if(config == null) {
    +        config = scHandler.readConfig(kv.getKey());
    +        if(_LOG.isDebugEnabled()) {
    +          _LOG.debug(config.toJSON());
    +        }
    +      }
    +      Map<String, List<String> > fieldMap = null;
    +      Map<String, List<String> > fieldToTypeMap = null;
    +      List<String> fieldList = null;
    +      if(kv.getValue().type == Type.THREAT_INTEL) {
    +        fieldMap = config.getThreatIntelFieldMap();
    +        if(fieldMap!= null) {
    +          fieldList = fieldMap.get(Constants.SIMPLE_HBASE_THREAT_INTEL);
    +        }
    +        if(fieldList == null) {
    +          fieldList = new ArrayList<>();
    +          fieldMap.put(Constants.SIMPLE_HBASE_THREAT_INTEL, fieldList);
    +        }
    +        fieldToTypeMap = config.getFieldToThreatIntelTypeMap();
    +        if(fieldToTypeMap == null) {
    +          fieldToTypeMap = new HashMap<>();
    +          config.setFieldToThreatIntelTypeMap(fieldToTypeMap);
    +        }
    +      }
    +      else if(kv.getValue().type == Type.ENRICHMENT) {
    +        fieldMap = config.getEnrichmentFieldMap();
    +        if(fieldMap!= null) {
    +          fieldList = fieldMap.get(Constants.SIMPLE_HBASE_ENRICHMENT);
    +        }
    +        if(fieldList == null) {
    +          fieldList = new ArrayList<>();
    +          fieldMap.put(Constants.SIMPLE_HBASE_ENRICHMENT, fieldList);
    +        }
    +        fieldToTypeMap = config.getFieldToEnrichmentTypeMap();
    +        if(fieldToTypeMap == null) {
    +          fieldToTypeMap = new HashMap<>();
    +          config.setFieldToEnrichmentTypeMap(fieldToTypeMap);
    +        }
    +      }
    +      if(fieldToTypeMap == null  || fieldMap == null) {
    +        _LOG.debug("fieldToTypeMap is null or fieldMap is null, so 
skipping");
    +        continue;
    +      }
    +      //Add the additional fields to the field list associated with the 
hbase adapter
    +      {
    --- End diff --
    
    Are these inline braces necessary?


> Generalize the HBase threat intel infrastructure to support enrichments
> -----------------------------------------------------------------------
>
>                 Key: METRON-93
>                 URL: https://issues.apache.org/jira/browse/METRON-93
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Casey Stella
>            Assignee: Casey Stella
>   Original Estimate: 504h
>  Remaining Estimate: 504h
>
> As it stands, the threat intel infrastructure is awkward.  Namely, different 
> threat intelligence sources must be pushed into separate hbase tables 
> (malicious_ips separate form malicious_hosts, for instance).  We'd rather 
> have one table where the type is brought into the rowkey.  Since this 
> infrastructure is generalized, also add a simple hbase enrichment adapter.
> Furthermore, the configuration for a new enrichment should be added to 
> zookeeper as part of the data load.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to