Snort timestamp field shows up wrong value

Hi,
i injected the following snort log:-

07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,**A***,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,

I expected timestamp field in indexed json to be epoch equivalent of what is given in the log.However the indexed snort json represents the current date and time.
========================================================
{

• "_index": "snort_index_2016.09.01.09",
• "_type": "snort_doc",
• "_id": "AVblCLtfZ5WQUn7o8i6U",
• "_version": 1,
• "_score": 1,
• "_timestamp": 1469688800676,
• "_source": { * "msg": ""'snort test alert'"", * "enrichments:geo:ip_dst_addr:locID": "794448", * "enrichments:geo:ip_dst_addr:location_point": "48.5839,7.7455", * "sig_rev": "0", * "ip_dst_port": "80", * "threatinteljoinbolt:joiner:ts": "1472721369718", * "ethsrc": "00:00:00:00:00:00", * "tcpseq": "0xF017C4DA", * "dgmlen": "40", * "enrichmentsplitterbolt:splitter:begin:ts": "1472721369701", * "enrichmentjoinbolt:joiner:ts": "1472721369707", * "adapter:geoadapter:begin:ts": "1472721369702", * "tcpwindow": "0xF6C9", * "enrichments:geo:ip_dst_addr:latitude": "48.5839", * "tcpack": "0xABDB8426", * "protocol": "TCP", * "source:type": "snort", * "adapter:threatinteladapter:end:ts": "1472721369718", * "ip_dst_addr": "62.75.195.236", * "original_string": "07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,", * "adapter:hostfromjsonlistadapter:end:ts": "1472721369702", * "tos": "0", * "adapter:geoadapter:end:ts": "1472721369707", * "id": "2319", * "ip_src_addr": "192.168.138.158", * "threatintelsplitterbolt:splitter:end:ts": "1472721369707", * "enrichments:geo:ip_dst_addr:longitude": "7.7455", * "timestamp": 1469688800676, * "ethdst": "00:00:00:00:00:00", * "enrichmentsplitterbolt:splitter:end:ts": "1472721369701", * "enrichments:geo:ip_dst_addr:city": "Strassbourg", * "enrichments:geo:ip_dst_addr:postalCode": "67100", * "is_alert": "true", * "adapter:hostfromjsonlistadapter:begin:ts": "1472721369702", * "ttl": "128", * "ethlen": "0x3C", * "iplen": "40960", * "ip_src_port": "49188", * "threat:triage:level": 10, * "threatintelsplitterbolt:splitter:begin:ts": "1472721369707", * "adapter:threatinteladapter:begin:ts": "1472721369708", * "tcpflags": "***A****", * "enrichments:geo:ip_dst_addr:country": "FR", * "sig_id": "999158", * "sig_generator": "1" * }

  }
  ========================================================

Inorder to investigate this case I went through the following https://github.com/hortonworks/metron/blob/apache-ref/master/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java and found the following "TODO" note in the "toEpoch" function :-

========================================================
private long toEpoch(String snortDatetime) throws ParseException

{ /* * TODO how does Snort not embed the year in their default timestamp?! need to change this in * Snort configuration. for now, just assume current year. */ int year = Calendar.getInstance().get(Calendar.YEAR); String withYear = Integer.toString(year) + " " + snortDatetime; // convert to epoch time SimpleDateFormat df = new SimpleDateFormat("yyyy MM/dd-HH:mm:ss.S"); Date date = df.parse(withYear); return date.getTime(); }

========================================================

As per the above "TODO" note the year would match to the current year but rest of the time fields should match to what is in the original snort log.
However this is not the case.

Also Do we have any jira to track the "todo" part?We should be having one as an enhancement atleast.

Regards,
neha