Details
-
Bug
-
Status: Done
-
Major
-
Resolution: Done
-
0.2.2BETA
-
None
Description
Hi,
i injected the following snort log:-
07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,**A***,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,
I expected timestamp field in indexed json to be epoch equivalent of what is given in the log.However the indexed snort json represents the current date and time.
========================================================
{
- "_index": "snort_index_2016.09.01.09",
- "_type": "snort_doc",
- "_id": "AVblCLtfZ5WQUn7o8i6U",
- "_version": 1,
- "_score": 1,
- "_timestamp": 1469688800676,
- "_source":
{
* "msg": ""'snort test alert'"",
* "enrichments:geo:ip_dst_addr:locID": "794448",
* "enrichments:geo:ip_dst_addr:location_point": "48.5839,7.7455",
* "sig_rev": "0",
* "ip_dst_port": "80",
* "threatinteljoinbolt:joiner:ts": "1472721369718",
* "ethsrc": "00:00:00:00:00:00",
* "tcpseq": "0xF017C4DA",
* "dgmlen": "40",
* "enrichmentsplitterbolt:splitter:begin:ts": "1472721369701",
* "enrichmentjoinbolt:joiner:ts": "1472721369707",
* "adapter:geoadapter:begin:ts": "1472721369702",
* "tcpwindow": "0xF6C9",
* "enrichments:geo:ip_dst_addr:latitude": "48.5839",
* "tcpack": "0xABDB8426",
* "protocol": "TCP",
* "source:type": "snort",
* "adapter:threatinteladapter:end:ts": "1472721369718",
* "ip_dst_addr": "62.75.195.236",
* "original_string": "07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,",
* "adapter:hostfromjsonlistadapter:end:ts": "1472721369702",
* "tos": "0",
* "adapter:geoadapter:end:ts": "1472721369707",
* "id": "2319",
* "ip_src_addr": "192.168.138.158",
* "threatintelsplitterbolt:splitter:end:ts": "1472721369707",
* "enrichments:geo:ip_dst_addr:longitude": "7.7455",
* "timestamp": 1469688800676,
* "ethdst": "00:00:00:00:00:00",
* "enrichmentsplitterbolt:splitter:end:ts": "1472721369701",
* "enrichments:geo:ip_dst_addr:city": "Strassbourg",
* "enrichments:geo:ip_dst_addr:postalCode": "67100",
* "is_alert": "true",
* "adapter:hostfromjsonlistadapter:begin:ts": "1472721369702",
* "ttl": "128",
* "ethlen": "0x3C",
* "iplen": "40960",
* "ip_src_port": "49188",
* "threat:triage:level": 10,
* "threatintelsplitterbolt:splitter:begin:ts": "1472721369707",
* "adapter:threatinteladapter:begin:ts": "1472721369708",
* "tcpflags": "***A****",
* "enrichments:geo:ip_dst_addr:country": "FR",
* "sig_id": "999158",
* "sig_generator": "1"
* }
}
========================================================
Inorder to investigate this case I went through the following https://github.com/hortonworks/metron/blob/apache-ref/master/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java and found the following "TODO" note in the "toEpoch" function :-
========================================================
private long toEpoch(String snortDatetime) throws ParseException
========================================================
As per the above "TODO" note the year would match to the current year but rest of the time fields should match to what is in the original snort log.
However this is not the case.
Also Do we have any jira to track the "todo" part?We should be having one as an enhancement atleast.
Regards,
neha
Attachments
Issue Links
- links to