search

Graylog2 / graylog-plugin-pipeline-processor

[DEPRECATED] Graylog Pipeline Message Processor Plugins
https://www.graylog.org/
GNU General Public License v3.0
21 stars 15 forks source link

I/O error - Infinite recursion with to_ip (ipv6 parsing issue) #199

Open MarkusMcNugen opened 7 years ago

MarkusMcNugen commented 7 years ago

Problem description

Infinite recursion when trying to convert IP string to an IP address using to_ip() function.

Steps to reproduce the problem

Source: 1500093714.115401|CuGFga3X7NWibJCGGa|10.16.5.182|137|10.16.15.255|137|udp|44426|-|WPAD|1|C_INTERNET|32|NB|-|-|F|F|T|F|1|-|-|F

  1. Create input, pipeline, and stream.
  2. In pipeline rule, split message string and store into m
  3. Convert m index to IP

Pipeline Rule

rule "Extract bro_dns log fields"
when
  has_field("application_name") &&
  contains(value: to_string($message.application_name), search: "bro_dns", ignore_case: true)
then
  let m = split("\\\|", to_string($message.message));

  set_field("ts", m[0]);`
  set_field("uid", m[1]);
  set_field("source_ip", to_ip(m[2]))
  set_field("source_port", to_long(m[3]));
  set_field("destination_host", to_ip(m[4]));
  set_field("destination_port", to_long(m[5]));
  set_field("proto", m[6]);
  set_field("trans_id", m[7]);
  set_field("domain", m[8]);
  set_field("qclass", to_long(m[9]));
  set_field("qclass_name", m[10]);
  set_field("qtype", to_long(m[11]));
  set_field("qtype_name", m[12]);
  set_field("rcode", to_long(m[13]));
  set_field("rcode_name", m[14]);
  set_field("AA", m[15]);
  set_field("TC", m[16]);
  set_field("RD", m[17]);
  set_field("RA", m[18]);
  set_field("Z", to_long(m[19]));
  set_field("answers", m[20]);
  set_field("TTLs", m[21]);
  set_field("rejected", m[22]);
end

Log

2017-07-14T21:06:15.902-04:00 ERROR [ServerRuntime$Responder] An I/O error has occurred while writing a response message entity to the container output stream.
org.glassfish.jersey.server.internal.process.MappableException: com.fasterxml.jackson.databind.JsonMappingException: Infinite recursion (StackOverflowError) (through reference chain: org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"])
    at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:92) ~[graylog.jar:?]
    at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[graylog.jar:?]
    at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1130) ~[graylog.jar:?]
    at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:711) [graylog.jar:?]
    at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:444) [graylog.jar:?]
    at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:434) [graylog.jar:?]
    at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:329) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?]
    at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?]
    at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?]
    at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?]
    at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?]
    at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?]
    at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]`

Environment

joschi commented 7 years ago

@MarkusMcNugen

org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]

Is this the literal log output or did you replace the actual IP address with "anonymized"?

If the latter, please provide a real IP address which triggers the error so we can reproduce the issue.

MarkusMcNugen commented 7 years ago

@joschi

That is the literal log output. I stripped 100+ of the same line out of the log so the log output wasnt stupidly big...

The IP address it was suppose to convert from a string to an IP was 10.16.5.182 and 10.16.15.255. The rule splits the message string on | and tries to convert the the IP strings to IP addresses. When that error is produced it crashes search, which subsequently crashes login since it loads the search page by default.

EDIT: I figured it out. Turns out some of our PCs are using IPv6 when they shouldn't be which was causing the to_ip function to freak out when it ran into the IPv6 addresses. Please close this issue.