Details
-
Bug
-
Status: Done
-
Minor
-
Resolution: Done
-
0.2.1BETA
-
None
Description
Hi,
The bro parser fails to parse the following event in my metron environment :-
{"http": {"ts":1467657279.0,"uid":"CMYLzP3PKiwZAgBa51","id.orig_h":"192.168.138.158","id.orig_p":49206,"id.resp_h":"95.163.121.204",
"id.resp_p":80,"trans_depth":2,"method":"GET","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","uri":"/img/flags/it.png","referrer":"http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","request_body_len":0,"response_body_len":552,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F3m7vB2RjUe4n01aqj"],"resp_mime_types":["image/png"]}}
When I looked up the stack trace it complains of the following statement in BasicBroparser.java file :-
convertedTimestamp=convertedTimestamp.substring(0,13);
Since the "ts" field in the respective bro events is not 13 chars long the parser threw the exception.we need to fix the bro parser to accomodate parsing of such events.
Please find attached the parser exception message .
Regards,
Neha