metron git commit: METRON-838 Incorrect set of ts in FireEye parser (bjigmp via justinleet) closes apache/metron#528

leet Fri, 11 Aug 2017 05:42:07 -0700

Repository: metron
Updated Branches:
  refs/heads/master f072ed231 -> b3148a182



METRON-838 Incorrect set of ts in FireEye parser (bjigmp via justinleet) closes 
apache/metron#528


Project: http://git-wip-us.apache.org/repos/asf/metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/b3148a18
Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/b3148a18
Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/b3148a18

Branch: refs/heads/master
Commit: b3148a18280a4fa50020f4a757dc526c404e0df5
Parents: f072ed2
Author: bjigmp <bji...@users.noreply.github.com>
Authored: Fri Aug 11 08:40:11 2017 -0400
Committer: leet <l...@apache.org>
Committed: Fri Aug 11 08:40:11 2017 -0400

----------------------------------------------------------------------
 .../metron/parsers/fireeye/BasicFireEyeParser.java  |  8 +++-----
 .../parsers/fireeye/BasicFireEyeParserTest.java     | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/metron/blob/b3148a18/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/fireeye/BasicFireEyeParser.java
----------------------------------------------------------------------
diff --git 
a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/fireeye/BasicFireEyeParser.java
 
b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/fireeye/BasicFireEyeParser.java
index 04e1591..489eb00 100644
--- 
a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/fireeye/BasicFireEyeParser.java
+++ 
b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/fireeye/BasicFireEyeParser.java
@@ -122,14 +122,12 @@ public class BasicFireEyeParser extends BasicParser {
                        month = tsMatcher.group(1);
                        day = tsMatcher.group(2);
                        time = tsMatcher.group(3);
-       
-                               } else {
-                       LOG.warn("Unable to find timestamp in message: {}", 
toParse);
                        ts = ParserUtils.convertToEpoch(month, day, time, true);
+               } else {
+                       LOG.warn("Unable to find timestamp in message: {}", 
toParse);
                }
 
-                       return ts;
-       
+               return ts;
        }
 
        private JSONObject parseMessage(String toParse) {

http://git-wip-us.apache.org/repos/asf/metron/blob/b3148a18/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/fireeye/BasicFireEyeParserTest.java
----------------------------------------------------------------------
diff --git 
a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/fireeye/BasicFireEyeParserTest.java
 
b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/fireeye/BasicFireEyeParserTest.java
index 69a6dbd..7a5d2e6 100644
--- 
a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/fireeye/BasicFireEyeParserTest.java
+++ 
b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/fireeye/BasicFireEyeParserTest.java
@@ -19,6 +19,10 @@ package org.apache.metron.parsers.fireeye;
 
 import java.util.Map;
 import java.util.Map.Entry;
+import java.time.Year;
+import java.time.ZonedDateTime;
+import java.time.ZoneOffset;
+
 import org.apache.metron.parsers.AbstractParserConfigTest;
 import org.json.simple.JSONObject;
 import org.json.simple.parser.JSONParser;
@@ -57,4 +61,16 @@ public class BasicFireEyeParserTest extends 
AbstractParserConfigTest {
       }
     }
   }
+
+  private final static String fireeyeMessage = "<164>Mar 19 05:24:39 
10.220.15.15 fenotify-851983.alert: 
CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 12:28:26 UTC 
dvc=10.201.78.57 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 
shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org 
dvchost=DEVFEYE1 spt=54527 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 
cn1Label=vlan cn1=0 externalId=851983 cs4Label=link 
cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\\=851983 
dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS";
+
+  @SuppressWarnings("rawtypes")
+  @Test
+  public void testTimestampParsing() throws ParseException {
+    JSONObject parsed = parser.parse(fireeyeMessage.getBytes()).get(0);
+    JSONParser parser = new JSONParser();
+    Map json = (Map) parser.parse(parsed.toJSONString());
+    long expectedTimestamp = 
ZonedDateTime.of(Year.now(ZoneOffset.UTC).getValue(), 3, 19, 5, 24, 39, 0, 
ZoneOffset.UTC).toInstant().toEpochMilli();
+    Assert.assertEquals(expectedTimestamp, json.get("timestamp"));
+  }
 }

metron git commit: METRON-838 Incorrect set of ts in FireEye parser (bjigmp via justinleet) closes apache/metron#528

Reply via email to