custom date format required for snort, but not working

Mon, 20 Feb 2017 13:47:58 -0800 

There is someone on the user list getting errors from snort, and I sent him
this reply:

---------
2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
02/18-16:24:46.262884 ,1,999158,0,"'snort test
alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:95:01:D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884' could
not be parsed at index 5

We are expect a date more like 01/27/16-16:01:04.877970
So the year is missing.


Our default date formatter for snort is defined as  MM/dd/yy-HH:mm:ss.SSSSSS

You can change this by adding “dateFormat”:”your format” to your parser
configuration
——————

The issue is, I can’t get this to work.  I don’t think that the
ZonedTimeDate will work if the year is missing.

I tried the following test:

import java.time.ZoneId;

import java.time.ZonedDateTime;

import java.time.format.DateTimeFormatter;


class Untitled {

public static void main(String[] args) {

String fmt = "MM/dd-HH:mm:ss.SSSSSS";

String old = "MM/dd/yy-HH:mm:ss.SSSSSS";

String dateString = "02/18-16:24:46.262900";

String oldString = "02/18/17-16:24:46.262900";

DateTimeFormatter df = DateTimeFormatter.ofPattern(fmt);

df = df.withZone(ZoneId.systemDefault());

ZonedDateTime zdt = ZonedDateTime.parse(dateString,df);

System.out.println(String.format("%d",zdt.toInstant().toEpochMilli()));

}

}


Old and oldString work.


fmt and dateString don’t with exception:


Exception in thread "main" java.time.format.DateTimeParseException: Text
'02/18-16:24:46.262900' could not be parsed: Unable to obtain ZonedDateTime
from TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
resolved to 16:24:46.262900 of type java.time.format.Parsed

at
java.time.format.DateTimeFormatter.createError(DateTimeFormatter.java:1920)

at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1855)

at java.time.ZonedDateTime.parse(ZonedDateTime.java:597)

at Untitled.main(Untitled 2.java:13)

Caused by: java.time.DateTimeException: Unable to obtain ZonedDateTime from
TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
resolved to 16:24:46.262900 of type java.time.format.Parsed

at java.time.ZonedDateTime.from(ZonedDateTime.java:565)

at java.time.format.Parsed.query(Parsed.java:226)

at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1851)

... 2 more

Caused by: java.time.DateTimeException: Unable to obtain LocalDate from
TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
resolved to 16:24:46.262900 of type java.time.format.Parsed

at java.time.LocalDate.from(LocalDate.java:368)

at java.time.ZonedDateTime.from(ZonedDateTime.java:559)

... 4 more


The snort parser doesn’t document the dateFormat override ( METRON-729 ).
I don’t now and have not found a way to modify how snort outputs date
string.

Any ideas?

Reply via email to