KTS6 icon indicating copy to clipboard operation
KTS6 copied to clipboard
verified publisher icon StamusNetworks

java.lang.NullPointerException

Open Marshal27 opened this issue 6 years ago • 3 comments

This is an issue with the toLowerCase() method when applied to null values on the doc.

  • In my Windows instance, running elasticsearch in cmd for testing, it would cause the service to lock up... may not be an issue once I actually convert it to a windows service, but this is causing me to have to reset the service to continue testing.

Caused by: java.lang.NullPointerException at org.elasticsearch.painless.DefBootstrap$PIC.checkClass(DefBootstrap.java:143) ~[?:?] at org.elasticsearch.painless.PainlessScript$Script.execute('ip == ' + doc['src_ip.keyword'].value + ' && ...:223) ~[?:?]

The issue is in the FPC script to generate the URL. Would be a good idea to perform a null check on this value before attempting to generate the URL... I made the assumption that if the protocol is not available, you may not want a URL generated...

  • feel free to revise according to the required logic. I am still new to all this so I am not sure what the FPC url is for.

if(doc['proto.keyword'].value != null){ 'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()}

Marshal27 avatar Jan 17 '19 22:01 Marshal27

That seems a good point. In what case is proto.keyword null ? (Was wondering if you have the example from the exception you have triggered)

pevma avatar Jan 18 '19 14:01 pevma

I think the issue may be mixing in other non-suricata log data in the index that does not contain a proto field? Or should that be handled. I'm not sure how to search for null proto.keyword values.

opoplawski avatar Jan 25 '19 20:01 opoplawski

It maybe that mixing diff sources could be the issue but in Kibana (for the FPC links specifically ) they are based out of dashboards that are looking into specific Suricata generated (logs)indexes. Example ‘logstash-alert’, ‘logstash-http’.... etc. So an example of the log that recreates the issue would be interested to look at and investigate.

-- Regards, Peter Manev

On 25 Jan 2019, at 21:18, Orion Poplawski [email protected] wrote:

I think the issue may be mixing in other non-suricata log data in the index that does not contain a proto field? Or should that be handled. I'm not sure how to search for null proto.keyword values.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

pevma avatar Jan 27 '19 18:01 pevma