You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Neha Sinha (JIRA)" <ji...@apache.org> on 2016/09/02 04:14:20 UTC

[jira] [Created] (METRON-402) Snort timestamp field shows up wrong value

Neha Sinha created METRON-402:
---------------------------------

             Summary: Snort timestamp field shows up wrong value
                 Key: METRON-402
                 URL: https://issues.apache.org/jira/browse/METRON-402
             Project: Metron
          Issue Type: Bug
    Affects Versions: 0.2.2BETA
            Reporter: Neha Sinha


Hi,
i injected the following snort log:-

07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,

I expected timestamp field in indexed json to be epoch equivalent of what is given in the log.However the indexed snort json represents the current date and time.
========================================================
{
* 		"_index": "snort_index_2016.09.01.09",
* 		"_type": "snort_doc",
* 		"_id": "AVblCLtfZ5WQUn7o8i6U",
* 		"_version": 1,
* 		"_score": 1,
* 		"_timestamp": 1469688800676,
* 		"_source": {
    * 		"msg": ""'snort test alert'"",
    * 		"enrichments:geo:ip_dst_addr:locID": "794448",
    * 		"enrichments:geo:ip_dst_addr:location_point": "48.5839,7.7455",
    * 		"sig_rev": "0",
    * 		"ip_dst_port": "80",
    * 		"threatinteljoinbolt:joiner:ts": "1472721369718",
    * 		"ethsrc": "00:00:00:00:00:00",
    * 		"tcpseq": "0xF017C4DA",
    * 		"dgmlen": "40",
    * 		"enrichmentsplitterbolt:splitter:begin:ts": "1472721369701",
    * 		"enrichmentjoinbolt:joiner:ts": "1472721369707",
    * 		"adapter:geoadapter:begin:ts": "1472721369702",
    * 		"tcpwindow": "0xF6C9",
    * 		"enrichments:geo:ip_dst_addr:latitude": "48.5839",
    * 		"tcpack": "0xABDB8426",
    * 		"protocol": "TCP",
    * 		"source:type": "snort",
    * 		"adapter:threatinteladapter:end:ts": "1472721369718",
    * 		"ip_dst_addr": "62.75.195.236",
    * 		"original_string": "07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,",
    * 		"adapter:hostfromjsonlistadapter:end:ts": "1472721369702",
    * 		"tos": "0",
    * 		"adapter:geoadapter:end:ts": "1472721369707",
    * 		"id": "2319",
    * 		"ip_src_addr": "192.168.138.158",
    * 		"threatintelsplitterbolt:splitter:end:ts": "1472721369707",
    * 		"enrichments:geo:ip_dst_addr:longitude": "7.7455",
    * 		"timestamp": 1469688800676,
    * 		"ethdst": "00:00:00:00:00:00",
    * 		"enrichmentsplitterbolt:splitter:end:ts": "1472721369701",
    * 		"enrichments:geo:ip_dst_addr:city": "Strassbourg",
    * 		"enrichments:geo:ip_dst_addr:postalCode": "67100",
    * 		"is_alert": "true",
    * 		"adapter:hostfromjsonlistadapter:begin:ts": "1472721369702",
    * 		"ttl": "128",
    * 		"ethlen": "0x3C",
    * 		"iplen": "40960",
    * 		"ip_src_port": "49188",
    * 		"threat:triage:level": 10,
    * 		"threatintelsplitterbolt:splitter:begin:ts": "1472721369707",
    * 		"adapter:threatinteladapter:begin:ts": "1472721369708",
    * 		"tcpflags": "***A****",
    * 		"enrichments:geo:ip_dst_addr:country": "FR",
    * 		"sig_id": "999158",
    * 		"sig_generator": "1"
* 		}
}
========================================================

Inorder to investigate this case I went through the following https://github.com/hortonworks/metron/blob/apache-ref/master/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java and found the following "TODO" note in the "toEpoch" function :-

========================================================
private long toEpoch(String snortDatetime) throws ParseException {
		
		/*
		 * TODO how does Snort not embed the year in their default timestamp?! need to change this in 
		 * Snort configuration.  for now, just assume current year.
		 */
    int year = Calendar.getInstance().get(Calendar.YEAR);
    String withYear = Integer.toString(year) + " " + snortDatetime;

    // convert to epoch time
    SimpleDateFormat df = new SimpleDateFormat("yyyy MM/dd-HH:mm:ss.S");
    Date date = df.parse(withYear);
    return date.getTime();
  }
========================================================

As per the above "TODO" note the year would match to the current year but rest of the time fields should match to what is in the original snort log.
However this is not the case.

Also Do we have any jira to track the "todo" part?We should be having one as an enhancement atleast.

Regards,
neha




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)