<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
span.E-MailFormatvorlage17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style>
</head>
<body lang="DE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi there,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I get this Exception at Elasticsearch:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US">java.lang.IllegalArgumentException: mapper [vars.flowbits.ET.http.javaclient] of different type, current_type [boolean], merged_type [ObjectMapper]<o:p></o:p></span></b></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">However, when i look in eve.json, i find nothing suspicious.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"timestamp":"2017-12-20T08:22:12.001459+0100","flow_id":896576785666535,"event_type":"alert","src_ip":"XXX","src_port":64083,"dest_ip":"XXX","dest_po<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">rt":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2011582,"rev":49,"signature":"ET POLICY Vulnerable Java Version 1.6.x Detected","category<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">":"Potentially Bad Traffic","severity":2},"http":{"hostname":"api.mixpanel.com","url":"\/decide?version=1&lib=web&token=d29678a540534e4eeac0d3ac260e2d24&distinct_id=wJdkr7<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">beO00CTYjtuU2OrCw%2BOQXTv9iNgnjXVtcK7jQ%3D","http_user_agent":"Apache-HttpClient\/4.4 (Java 1.5 minimum; Java\/1.6.0_45)","http_method":"GET","protocol":"HTTP\/1.1","lengt<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">h":0<b>},"vars":{"flowbits":{"ET.http.javaclient.vulnerable":true,"ET.JavaNotJar":true,"ET.http.javaclient":true}}</b>,"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">":5,"bytes_toserver":934,"bytes_toclient":875,"start":"2017-12-20T08:10:10.512487+0100"},"stream":1,"packet":"RQAAKAAAAABABvAVrBErmJ96E5f6UwBQYqpJcVt+fkBQEAoAmpsAAA==","pa<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">cket_info":{"linktype":12}}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">What is wrong here (only on this vars !) ?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"vars":{"flowbits":{"ET.http.javaclient.vulnerable":true,"ET.JavaNotJar":true,"ET.http.javaclient":true}}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The mapping of Elasticsearch is the same as
<span style="color:#24292E;background:white">SELKS<span class="apple-converted-space"> 4.</span></span><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Thx for any help here<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Stefan<o:p></o:p></span></p>
</div>
</body>
</html>