[Oisf-users] Elasticsearch Exception with [vars.flowbits.ET.http.javaclient], why ?

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Wed Dec 20 09:10:48 UTC 2017


Hi there,
I get this Exception at Elasticsearch:

java.lang.IllegalArgumentException: mapper [vars.flowbits.ET.http.javaclient] of different type, current_type [boolean], merged_type [ObjectMapper]

However, when i look in eve.json, i find nothing suspicious.

"timestamp":"2017-12-20T08:22:12.001459+0100","flow_id":896576785666535,"event_type":"alert","src_ip":"XXX","src_port":64083,"dest_ip":"XXX","dest_po
rt":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2011582,"rev":49,"signature":"ET POLICY Vulnerable Java Version 1.6.x Detected","category
":"Potentially Bad Traffic","severity":2},"http":{"hostname":"api.mixpanel.com","url":"\/decide?version=1&lib=web&token=d29678a540534e4eeac0d3ac260e2d24&distinct_id=wJdkr7
beO00CTYjtuU2OrCw%2BOQXTv9iNgnjXVtcK7jQ%3D","http_user_agent":"Apache-HttpClient\/4.4 (Java 1.5 minimum; Java\/1.6.0_45)","http_method":"GET","protocol":"HTTP\/1.1","lengt
h":0},"vars":{"flowbits":{"ET.http.javaclient.vulnerable":true,"ET.JavaNotJar":true,"ET.http.javaclient":true}},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient
":5,"bytes_toserver":934,"bytes_toclient":875,"start":"2017-12-20T08:10:10.512487+0100"},"stream":1,"packet":"RQAAKAAAAABABvAVrBErmJ96E5f6UwBQYqpJcVt+fkBQEAoAmpsAAA==","pa
cket_info":{"linktype":12}}

What is wrong here (only on this vars !) ?
"vars":{"flowbits":{"ET.http.javaclient.vulnerable":true,"ET.JavaNotJar":true,"ET.http.javaclient":true}}

The mapping of Elasticsearch is the same as SELKS 4.
Thx for any help here

Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171220/ad0a99c2/attachment.html>


More information about the Oisf-users mailing list