You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Casey Stella (JIRA)" <ji...@apache.org> on 2016/11/02 19:03:58 UTC

[jira] [Updated] (METRON-402) Snort timestamp field shows up wrong value

     [ https://issues.apache.org/jira/browse/METRON-402?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Casey Stella updated METRON-402:
--------------------------------
    Assignee: Michael Miklavcic  (was: Casey Stella)

> Snort timestamp field shows up wrong value
> ------------------------------------------
>
>                 Key: METRON-402
>                 URL: https://issues.apache.org/jira/browse/METRON-402
>             Project: Metron
>          Issue Type: Bug
>    Affects Versions: 0.2.2BETA
>            Reporter: Neha Sinha
>            Assignee: Michael Miklavcic
>             Fix For: 0.2.2BETA
>
>
> Hi,
> i injected the following snort log:-
> 07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,
> I expected timestamp field in indexed json to be epoch equivalent of what is given in the log.However the indexed snort json represents the current date and time.
> ========================================================
> {
> * 		"_index": "snort_index_2016.09.01.09",
> * 		"_type": "snort_doc",
> * 		"_id": "AVblCLtfZ5WQUn7o8i6U",
> * 		"_version": 1,
> * 		"_score": 1,
> * 		"_timestamp": 1469688800676,
> * 		"_source": {
>     * 		"msg": ""'snort test alert'"",
>     * 		"enrichments:geo:ip_dst_addr:locID": "794448",
>     * 		"enrichments:geo:ip_dst_addr:location_point": "48.5839,7.7455",
>     * 		"sig_rev": "0",
>     * 		"ip_dst_port": "80",
>     * 		"threatinteljoinbolt:joiner:ts": "1472721369718",
>     * 		"ethsrc": "00:00:00:00:00:00",
>     * 		"tcpseq": "0xF017C4DA",
>     * 		"dgmlen": "40",
>     * 		"enrichmentsplitterbolt:splitter:begin:ts": "1472721369701",
>     * 		"enrichmentjoinbolt:joiner:ts": "1472721369707",
>     * 		"adapter:geoadapter:begin:ts": "1472721369702",
>     * 		"tcpwindow": "0xF6C9",
>     * 		"enrichments:geo:ip_dst_addr:latitude": "48.5839",
>     * 		"tcpack": "0xABDB8426",
>     * 		"protocol": "TCP",
>     * 		"source:type": "snort",
>     * 		"adapter:threatinteladapter:end:ts": "1472721369718",
>     * 		"ip_dst_addr": "62.75.195.236",
>     * 		"original_string": "07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,",
>     * 		"adapter:hostfromjsonlistadapter:end:ts": "1472721369702",
>     * 		"tos": "0",
>     * 		"adapter:geoadapter:end:ts": "1472721369707",
>     * 		"id": "2319",
>     * 		"ip_src_addr": "192.168.138.158",
>     * 		"threatintelsplitterbolt:splitter:end:ts": "1472721369707",
>     * 		"enrichments:geo:ip_dst_addr:longitude": "7.7455",
>     * 		"timestamp": 1469688800676,
>     * 		"ethdst": "00:00:00:00:00:00",
>     * 		"enrichmentsplitterbolt:splitter:end:ts": "1472721369701",
>     * 		"enrichments:geo:ip_dst_addr:city": "Strassbourg",
>     * 		"enrichments:geo:ip_dst_addr:postalCode": "67100",
>     * 		"is_alert": "true",
>     * 		"adapter:hostfromjsonlistadapter:begin:ts": "1472721369702",
>     * 		"ttl": "128",
>     * 		"ethlen": "0x3C",
>     * 		"iplen": "40960",
>     * 		"ip_src_port": "49188",
>     * 		"threat:triage:level": 10,
>     * 		"threatintelsplitterbolt:splitter:begin:ts": "1472721369707",
>     * 		"adapter:threatinteladapter:begin:ts": "1472721369708",
>     * 		"tcpflags": "***A****",
>     * 		"enrichments:geo:ip_dst_addr:country": "FR",
>     * 		"sig_id": "999158",
>     * 		"sig_generator": "1"
> * 		}
> }
> ========================================================
> Inorder to investigate this case I went through the following https://github.com/hortonworks/metron/blob/apache-ref/master/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java and found the following "TODO" note in the "toEpoch" function :-
> ========================================================
> private long toEpoch(String snortDatetime) throws ParseException {
> 		
> 		/*
> 		 * TODO how does Snort not embed the year in their default timestamp?! need to change this in 
> 		 * Snort configuration.  for now, just assume current year.
> 		 */
>     int year = Calendar.getInstance().get(Calendar.YEAR);
>     String withYear = Integer.toString(year) + " " + snortDatetime;
>     // convert to epoch time
>     SimpleDateFormat df = new SimpleDateFormat("yyyy MM/dd-HH:mm:ss.S");
>     Date date = df.parse(withYear);
>     return date.getTime();
>   }
> ========================================================
> As per the above "TODO" note the year would match to the current year but rest of the time fields should match to what is in the original snort log.
> However this is not the case.
> Also Do we have any jira to track the "todo" part?We should be having one as an enhancement atleast.
> Regards,
> neha



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)