[ https://issues.apache.org/jira/browse/METRON-402?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David M. Lyle reassigned METRON-402: ------------------------------------ Assignee: Michael Miklavcic > Snort timestamp field shows up wrong value > ------------------------------------------ > > Key: METRON-402 > URL: https://issues.apache.org/jira/browse/METRON-402 > Project: Metron > Issue Type: Bug > Affects Versions: 0.2.2BETA > Reporter: Neha Sinha > Assignee: Michael Miklavcic > Fix For: 0.2.2BETA > > > Hi, > i injected the following snort log:- > 07/28-06:37:58.922676 ,1,999158,0,"'snort test > alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,, > I expected timestamp field in indexed json to be epoch equivalent of what is > given in the log.However the indexed snort json represents the current date > and time. > ======================================================== > { > * "_index": "snort_index_2016.09.01.09", > * "_type": "snort_doc", > * "_id": "AVblCLtfZ5WQUn7o8i6U", > * "_version": 1, > * "_score": 1, > * "_timestamp": 1469688800676, > * "_source": { > * "msg": ""'snort test alert'"", > * "enrichments:geo:ip_dst_addr:locID": "794448", > * "enrichments:geo:ip_dst_addr:location_point": > "48.5839,7.7455", > * "sig_rev": "0", > * "ip_dst_port": "80", > * "threatinteljoinbolt:joiner:ts": "1472721369718", > * "ethsrc": "00:00:00:00:00:00", > * "tcpseq": "0xF017C4DA", > * "dgmlen": "40", > * "enrichmentsplitterbolt:splitter:begin:ts": > "1472721369701", > * "enrichmentjoinbolt:joiner:ts": "1472721369707", > * "adapter:geoadapter:begin:ts": "1472721369702", > * "tcpwindow": "0xF6C9", > * "enrichments:geo:ip_dst_addr:latitude": "48.5839", > * "tcpack": "0xABDB8426", > * "protocol": "TCP", > * "source:type": "snort", > * "adapter:threatinteladapter:end:ts": "1472721369718", > * "ip_dst_addr": "62.75.195.236", > * "original_string": "07/28-06:37:58.922676 > ,1,999158,0,"'snort test > alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,", > * "adapter:hostfromjsonlistadapter:end:ts": > "1472721369702", > * "tos": "0", > * "adapter:geoadapter:end:ts": "1472721369707", > * "id": "2319", > * "ip_src_addr": "192.168.138.158", > * "threatintelsplitterbolt:splitter:end:ts": > "1472721369707", > * "enrichments:geo:ip_dst_addr:longitude": "7.7455", > * "timestamp": 1469688800676, > * "ethdst": "00:00:00:00:00:00", > * "enrichmentsplitterbolt:splitter:end:ts": > "1472721369701", > * "enrichments:geo:ip_dst_addr:city": "Strassbourg", > * "enrichments:geo:ip_dst_addr:postalCode": "67100", > * "is_alert": "true", > * "adapter:hostfromjsonlistadapter:begin:ts": > "1472721369702", > * "ttl": "128", > * "ethlen": "0x3C", > * "iplen": "40960", > * "ip_src_port": "49188", > * "threat:triage:level": 10, > * "threatintelsplitterbolt:splitter:begin:ts": > "1472721369707", > * "adapter:threatinteladapter:begin:ts": "1472721369708", > * "tcpflags": "***A****", > * "enrichments:geo:ip_dst_addr:country": "FR", > * "sig_id": "999158", > * "sig_generator": "1" > * } > } > ======================================================== > Inorder to investigate this case I went through the following > https://github.com/hortonworks/metron/blob/apache-ref/master/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java > and found the following "TODO" note in the "toEpoch" function :- > ======================================================== > private long toEpoch(String snortDatetime) throws ParseException { > > /* > * TODO how does Snort not embed the year in their default > timestamp?! need to change this in > * Snort configuration. for now, just assume current year. > */ > int year = Calendar.getInstance().get(Calendar.YEAR); > String withYear = Integer.toString(year) + " " + snortDatetime; > // convert to epoch time > SimpleDateFormat df = new SimpleDateFormat("yyyy MM/dd-HH:mm:ss.S"); > Date date = df.parse(withYear); > return date.getTime(); > } > ======================================================== > As per the above "TODO" note the year would match to the current year but > rest of the time fields should match to what is in the original snort log. > However this is not the case. > Also Do we have any jira to track the "todo" part?We should be having one as > an enhancement atleast. > Regards, > neha -- This message was sent by Atlassian JIRA (v6.3.4#6332)