graylog-plugin-pipeline-processor
graylog-plugin-pipeline-processor copied to clipboard
Graylog2
I/O error - Infinite recursion with to_ip (ipv6 parsing issue)
Problem description
Infinite recursion when trying to convert IP string to an IP address using to_ip() function.
Steps to reproduce the problem
Source: 1500093714.115401|CuGFga3X7NWibJCGGa|10.16.5.182|137|10.16.15.255|137|udp|44426|-|WPAD|1|C_INTERNET|32|NB|-|-|F|F|T|F|1|-|-|F
- Create input, pipeline, and stream.
- In pipeline rule, split message string and store into m
- Convert m index to IP
Pipeline Rule
rule "Extract bro_dns log fields"
when
has_field("application_name") &&
contains(value: to_string($message.application_name), search: "bro_dns", ignore_case: true)
then
let m = split("\\\|", to_string($message.message));
set_field("ts", m[0]);`
set_field("uid", m[1]);
set_field("source_ip", to_ip(m[2]))
set_field("source_port", to_long(m[3]));
set_field("destination_host", to_ip(m[4]));
set_field("destination_port", to_long(m[5]));
set_field("proto", m[6]);
set_field("trans_id", m[7]);
set_field("domain", m[8]);
set_field("qclass", to_long(m[9]));
set_field("qclass_name", m[10]);
set_field("qtype", to_long(m[11]));
set_field("qtype_name", m[12]);
set_field("rcode", to_long(m[13]));
set_field("rcode_name", m[14]);
set_field("AA", m[15]);
set_field("TC", m[16]);
set_field("RD", m[17]);
set_field("RA", m[18]);
set_field("Z", to_long(m[19]));
set_field("answers", m[20]);
set_field("TTLs", m[21]);
set_field("rejected", m[22]);
end
Log
2017-07-14T21:06:15.902-04:00 ERROR [ServerRuntime$Responder] An I/O error has occurred while writing a response message entity to the container output stream.
org.glassfish.jersey.server.internal.process.MappableException: com.fasterxml.jackson.databind.JsonMappingException: Infinite recursion (StackOverflowError) (through reference chain: org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]->org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"])
at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:92) ~[graylog.jar:?]
at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162) ~[graylog.jar:?]
at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1130) ~[graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:711) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:444) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:434) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:329) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]`
Environment
- Graylog Version: 2.2.3
- Pipeline Processor plugin version: 2.2.3
- Elasticsearch Version: 2.4.5
- MongoDB Version: 2.6.10
- Operating System: Ubuntu 16.04 LTS
- Browser version: Chrome 59
@MarkusMcNugen
org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress["anonymized"]
Is this the literal log output or did you replace the actual IP address with "anonymized"?
If the latter, please provide a real IP address which triggers the error so we can reproduce the issue.
@joschi
That is the literal log output. I stripped 100+ of the same line out of the log so the log output wasnt stupidly big...
The IP address it was suppose to convert from a string to an IP was 10.16.5.182 and 10.16.15.255. The rule splits the message string on | and tries to convert the the IP strings to IP addresses. When that error is produced it crashes search, which subsequently crashes login since it loads the search page by default.
EDIT: I figured it out. Turns out some of our PCs are using IPv6 when they shouldn't be which was causing the to_ip function to freak out when it ran into the IPv6 addresses. Please close this issue.