Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zeek DNS records don't open correctly in Arkime sessions #509

Closed
mmguero opened this issue Nov 22, 2024 · 1 comment
Closed

Zeek DNS records don't open correctly in Arkime sessions #509

mmguero opened this issue Nov 22, 2024 · 1 comment
Assignees
@mmguero
Labels
arkime Relating to Malcolm's use of Arkime bug Something isn't working opensearch Relating to Malcolm's use of OpenSearch regression It worked at one point... zeek Relating to Malcolm's use of Zeek
Milestone
v24.12.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Nov 22, 2024
edited
Loading

For some reason in the latest release when you try to open a zeek.dns record in Arkime sessions, you get this error in the debug logs:

arkime-1  | Trace: Unhandled Rejection at: Promise Promise {
arkime-1  |   <rejected> TypeError: Cannot create property 'keyword' on string '59427'
arkime-1  |       at fixSessionFields (/opt/arkime/viewer/db.js:384:22)
arkime-1  |       at /opt/arkime/viewer/db.js:528:5
arkime-1  |       at Db.search (/opt/arkime/viewer/db.js:575:17)
arkime-1  |       at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
arkime-1  | } reason: TypeError: Cannot create property 'keyword' on string '59427'
arkime-1  |     at fixSessionFields (/opt/arkime/viewer/db.js:384:22)
arkime-1  |     at /opt/arkime/viewer/db.js:528:5
arkime-1  |     at Db.search (/opt/arkime/viewer/db.js:575:17)
arkime-1  |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {}
arkime-1  |     at process.<anonymous> (/opt/arkime/viewer/viewer.js:2134:11)
arkime-1  |     at process.emit (node:events:519:28)
arkime-1  |     at emitUnhandledRejection (node:internal/process/promises:250:13)
arkime-1  |     at throwUnhandledRejectionsMode (node:internal/process/promises:385:19)
arkime-1  |     at processPromiseRejections (node:internal/process/promises:470:17)
arkime-1  |     at process.processTicksAndRejections (node:internal/process/task_queues:96:32)

The value of on string 'xxxxxx' varies, of course. It does always seem to be on particular type of field (looks like trans_id and answers?). I need to look at the definitions of those fields and see if I can figure out what's different about them.
@mmguero mmguero added arkime Relating to Malcolm's use of Arkime bug Something isn't working opensearch Relating to Malcolm's use of OpenSearch regression It worked at one point... zeek Relating to Malcolm's use of Zeek labels Nov 22, 2024
@mmguero mmguero added this to the v24.12.0 milestone Nov 22, 2024
@mmguero mmguero self-assigned this Nov 22, 2024
@mmguero mmguero added this to Malcolm Nov 22, 2024
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Nov 22, 2024
@mmguero
Fix cisagov#509
8cb4573 
I discovered that there are some conflicts between ECS's DNS fields (https://www.elastic.co/guide/en/ecs/current/ecs-dns.html) and Arkime's (https://github.com/arkime/arkime/blob/70765f46f6e17b62e405d9cd82d8109030e51bd8/db/db.pl#L4369-L4431) that would result in some issues when opening Zeek dns.log entries in Arkime sessions. So I'm commenting-out some of the ECS DNS normalization here in favor of the Arkime fields.
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 22, 2024

I discovered that there are some conflicts between ECS's DNS fields (https://www.elastic.co/guide/en/ecs/current/ecs-dns.html) and Arkime's (https://github.com/arkime/arkime/blob/70765f46f6e17b62e405d9cd82d8109030e51bd8/db/db.pl#L4369-L4431) that would result in some issues when opening Zeek dns.log entries in Arkime sessions. So I'm commenting-out some of the ECS DNS normalization here in favor of the Arkime fields.

@mmguero mmguero closed this as completed Nov 22, 2024
@github-project-automation github-project-automation bot moved this to Done in Malcolm Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
arkime Relating to Malcolm's use of Arkime bug Something isn't working opensearch Relating to Malcolm's use of OpenSearch regression It worked at one point... zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: Done
Milestone
v24.12.0
Development

No branches or pull requests
1 participant
@mmguero