java.lang.NullPointerException

[Marshal27]

This is an issue with the toLowerCase() method when applied to null values on the doc.

• In my Windows instance, running elasticsearch in cmd for testing, it would cause the service to lock up... may not be an issue once I actually convert it to a windows service, but this is causing me to have to reset the service to continue testing.

Caused by: java.lang.NullPointerException at org.elasticsearch.painless.DefBootstrap$PIC.checkClass(DefBootstrap.java:143) ~[?:?] at org.elasticsearch.painless.PainlessScript$Script.execute('ip == ' + doc['src_ip.keyword'].value + ' && ...:223) ~[?:?]

The issue is in the FPC script to generate the URL. Would be a good idea to perform a null check on this value before attempting to generate the URL... I made the assumption that if the protocol is not available, you may not want a URL generated...

• feel free to revise according to the required logic. I am still new to all this so I am not sure what the FPC url is for.

if(doc['proto.keyword'].value != null){ 'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()}

[pevma]

That seems a good point. In what case is proto.keyword null ? (Was wondering if you have the example from the exception you have triggered)

[opoplawski]

I think the issue may be mixing in other non-suricata log data in the index that does not contain a proto field? Or should that be handled. I'm not sure how to search for null proto.keyword values.

[pevma]

It maybe that mixing diff sources could be the issue but in Kibana (for the FPC links specifically ) they are based out of dashboards that are looking into specific Suricata generated (logs)indexes. Example ‘logstash-alert’, ‘logstash-http’.... etc. So an example of the log that recreates the issue would be interested to look at and investigate.

-- Regards, Peter Manev

On 25 Jan 2019, at 21:18, Orion Poplawski notifications@github.com wrote:

I think the issue may be mixing in other non-suricata log data in the index that does not contain a proto field? Or should that be handled. I'm not sure how to search for null proto.keyword values.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.