You're correct, a ZonedDateTime requires a year. I ran into this when
parsing the RFC3164 syslog timestamps.
Glad he was able to find the config option to enable the year in Snort.
-Kyle
On Tue, Feb 21, 2017 at 7:59 AM, Otto Fowler <ottobackwa...@gmail.com>
wrote:
> ok -
>
> # Configure Snort to show year in timestamps
> config show_year
>
> looks like it fixed it for him.
> I create a jira to make sure this is in our default
>
> On February 20, 2017 at 16:47:29, Otto Fowler (ottobackwa...@gmail.com)
> wrote:
>
> There is someone on the user list getting errors from snort, and I sent him
> this reply:
>
> ---------
> 2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
> 02/18-16:24:46.262884 ,1,999158,0,"'snort test
> alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:
> 95:01:D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,
> 0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
> java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884'
> could
> not be parsed at index 5
>
> We are expect a date more like 01/27/16-16:01:04.877970
> So the year is missing.
>
>
> Our default date formatter for snort is defined as
> MM/dd/yy-HH:mm:ss.SSSSSS
>
> You can change this by adding “dateFormat”:”your format” to your parser
> configuration
> ——————
>
> The issue is, I can’t get this to work. I don’t think that the
> ZonedTimeDate will work if the year is missing.
>
> I tried the following test:
>
> import java.time.ZoneId;
>
> import java.time.ZonedDateTime;
>
> import java.time.format.DateTimeFormatter;
>
>
> class Untitled {
>
> public static void main(String[] args) {
>
> String fmt = "MM/dd-HH:mm:ss.SSSSSS";
>
> String old = "MM/dd/yy-HH:mm:ss.SSSSSS";
>
> String dateString = "02/18-16:24:46.262900";
>
> String oldString = "02/18/17-16:24:46.262900";
>
> DateTimeFormatter df = DateTimeFormatter.ofPattern(fmt);
>
> df = df.withZone(ZoneId.systemDefault());
>
> ZonedDateTime zdt = ZonedDateTime.parse(dateString,df);
>
> System.out.println(String.format("%d",zdt.toInstant().toEpochMilli()));
>
> }
>
> }
>
>
> Old and oldString work.
>
>
> fmt and dateString don’t with exception:
>
>
> Exception in thread "main" java.time.format.DateTimeParseException: Text
> '02/18-16:24:46.262900' could not be parsed: Unable to obtain ZonedDateTime
> from TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at
> java.time.format.DateTimeFormatter.createError(
> DateTimeFormatter.java:1920)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1855)
>
> at java.time.ZonedDateTime.parse(ZonedDateTime.java:597)
>
> at Untitled.main(Untitled 2.java:13)
>
> Caused by: java.time.DateTimeException: Unable to obtain ZonedDateTime from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:565)
>
> at java.time.format.Parsed.query(Parsed.java:226)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1851)
>
> ... 2 more
>
> Caused by: java.time.DateTimeException: Unable to obtain LocalDate from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.LocalDate.from(LocalDate.java:368)
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:559)
>
> ... 4 more
>
>
> The snort parser doesn’t document the dateFormat override ( METRON-729 ).
> I don’t now and have not found a way to modify how snort outputs date
> string.
>
> Any ideas?
>
