IBM Support

IJ17939: 'WHEN ANY OF THESE EVENT PROPERTIES ARE CONTAINED IN ANY OF THESE REFERENCE SET(S)' CAN PRODUCE FALSE POSITIVE/NEGATIVE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as suggestion for future release.

Error description

  • It has been identified that QRadar does not enforce proper
    validation for the 'when any of these event properties are
    contained in any of these reference set(s)' Custom Rule Engine
    (CRE) test.
    This issue can cause false positive or negative rule results as
    Custom Properties can be: alphanumeric, numeric, IP, port, or
    DateTime. Reference sets can be: alpha numeric, case
    insensitive alpha numeric, numeric, IP, or port.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [ecs-ep.ecs-ep] [CRE Processor [5]]
    com.q1labs.semsources.cre.CustomRule: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception in test:
    Failed to test
    [ecs-ep.ecs-ep] [CRE Processor [5]]
    com.q1labs.jstl.base.exceptions.TestFailedException: Failed to
    test
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceS
    etTest.java:228)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceS
    etTest.java:255)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceS
    etTest.java:312)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.gen.TestExecutor_1_6.test(TestExecutor
    _1_6.java)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:480)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:437)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomR
    uleSetExecutor.java:294)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.gen.RuleSetExecutor_143_LocalEvent.tes
    t(RuleSetExecutor_143_LocalEvent.java)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.LocalRuleExecutor.processEventInProper
    tyMode(LocalRuleExecutor.java:227)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRu
    leExecutor.java:156)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomR
    uleEngine.java:441)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine
    .java:384)
    [ecs-ep.ecs-ep] [CRE Processor [5]] Caused by:
    [ecs-ep.ecs-ep] [CRE Processor [5]]
    com.q1labs.frameworks.exceptions.CIDRNetworkException: Failed
    to parse IP address: CUSTOM_PROPERTY_VALUE
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.dao.util.Host.parseIPAddress(Host.java:207)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.dao.util.Host.fromString(Host.java:74)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.dao.util.Host.fromString(Host.java:56)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.types.HostKeySerializer.keyFromString(HostKeySer
    ializer.java:52)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.types.HostKeySerializer.keyFromString(HostKeySer
    ializer.java:17)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceS
    etTest.java:208)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    ... 11 more
    [ecs-ep.ecs-ep] [CRE Processor [5]] Caused by:
    [ecs-ep.ecs-ep] [CRE Processor [5]]
    java.lang.NumberFormatException: For input string:
    "CUSTOM_PROPERTY_VALUE"
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    java.lang.NumberFormatException.forInputString(NumberFormatExcep
    tion.java:76)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    java.lang.Integer.parseInt(Integer.java:592)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    java.lang.Short.parseShort(Short.java:129)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    java.lang.Short.parseShort(Short.java:155)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.dao.util.Host.parseUnsignedByte(Host.java:215)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.dao.util.Host.parseIPAddress(Host.java:197)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    ... 16 more
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

Problem conclusion

Temporary fix

Comments

  • Adding restrictions may cause more problems for customers, so a
    warning message will be considered for a future release.
    

APAR Information

  • APAR number

    IJ17939

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED SUG

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-07-29

  • Closed date

    2019-08-09

  • Last modified date

    2019-08-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732","Edition":""}]

Document Information

Modified date:
09 August 2019