You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@metron.apache.org by Otto Fowler <ot...@gmail.com> on 2017/02/20 21:47:29 UTC
custom date format required for snort, but not working
There is someone on the user list getting errors from snort, and I sent him
this reply:
---------
2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
02/18-16:24:46.262884 ,1,999158,0,"'snort test
alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:95:01:D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884' could
not be parsed at index 5
We are expect a date more like 01/27/16-16:01:04.877970
So the year is missing.
Our default date formatter for snort is defined as MM/dd/yy-HH:mm:ss.SSSSSS
You can change this by adding “dateFormat”:”your format” to your parser
configuration
——————
The issue is, I can’t get this to work. I don’t think that the
ZonedTimeDate will work if the year is missing.
I tried the following test:
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
class Untitled {
public static void main(String[] args) {
String fmt = "MM/dd-HH:mm:ss.SSSSSS";
String old = "MM/dd/yy-HH:mm:ss.SSSSSS";
String dateString = "02/18-16:24:46.262900";
String oldString = "02/18/17-16:24:46.262900";
DateTimeFormatter df = DateTimeFormatter.ofPattern(fmt);
df = df.withZone(ZoneId.systemDefault());
ZonedDateTime zdt = ZonedDateTime.parse(dateString,df);
System.out.println(String.format("%d",zdt.toInstant().toEpochMilli()));
}
}
Old and oldString work.
fmt and dateString don’t with exception:
Exception in thread "main" java.time.format.DateTimeParseException: Text
'02/18-16:24:46.262900' could not be parsed: Unable to obtain ZonedDateTime
from TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
resolved to 16:24:46.262900 of type java.time.format.Parsed
at
java.time.format.DateTimeFormatter.createError(DateTimeFormatter.java:1920)
at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1855)
at java.time.ZonedDateTime.parse(ZonedDateTime.java:597)
at Untitled.main(Untitled 2.java:13)
Caused by: java.time.DateTimeException: Unable to obtain ZonedDateTime from
TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
resolved to 16:24:46.262900 of type java.time.format.Parsed
at java.time.ZonedDateTime.from(ZonedDateTime.java:565)
at java.time.format.Parsed.query(Parsed.java:226)
at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1851)
... 2 more
Caused by: java.time.DateTimeException: Unable to obtain LocalDate from
TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
resolved to 16:24:46.262900 of type java.time.format.Parsed
at java.time.LocalDate.from(LocalDate.java:368)
at java.time.ZonedDateTime.from(ZonedDateTime.java:559)
... 4 more
The snort parser doesn’t document the dateFormat override ( METRON-729 ).
I don’t now and have not found a way to modify how snort outputs date
string.
Any ideas?
Re: custom date format required for snort, but not working
Posted by Otto Fowler <ot...@gmail.com>.
OK -
I changed METRON-729 ( snort parser is not documented ) to include this.
Thanks!
On February 21, 2017 at 11:05:46, Otto Fowler (ottobackwards@gmail.com)
wrote:
Actually I see it is the default now
I’ll get my lira’s straight for documenting and configuration and put that
we should document it
On February 21, 2017 at 11:04:08, Otto Fowler (ottobackwards@gmail.com)
wrote:
That is what I’m going to do in the jira
On February 21, 2017 at 10:06:24, Michael Miklavcic (
michael.miklavcic@gmail.com) wrote:
We decided at some point that given that there is an option in Snort to
enable years in the timestamp that this was the best option for handling
the dates. This should already be the default for Vagrant.
On Tue, Feb 21, 2017 at 5:59 AM, Otto Fowler <ot...@gmail.com>
wrote:
> ok -
>
> # Configure Snort to show year in timestamps
> config show_year
>
> looks like it fixed it for him.
> I create a jira to make sure this is in our default
>
> On February 20, 2017 at 16:47:29, Otto Fowler (ottobackwards@gmail.com)
> wrote:
>
> There is someone on the user list getting errors from snort, and I sent
him
> this reply:
>
> ---------
> 2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
> 02/18-16:24:46.262884 ,1,999158,0,"'snort test
> alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:
> 95:01:D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,
> 0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
> java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884'
> could
> not be parsed at index 5
>
> We are expect a date more like 01/27/16-16:01:04.877970
> So the year is missing.
>
>
> Our default date formatter for snort is defined as
> MM/dd/yy-HH:mm:ss.SSSSSS
>
> You can change this by adding “dateFormat”:”your format” to your parser
> configuration
> ——————
>
> The issue is, I can’t get this to work. I don’t think that the
> ZonedTimeDate will work if the year is missing.
>
> I tried the following test:
>
> import java.time.ZoneId;
>
> import java.time.ZonedDateTime;
>
> import java.time.format.DateTimeFormatter;
>
>
> class Untitled {
>
> public static void main(String[] args) {
>
> String fmt = "MM/dd-HH:mm:ss.SSSSSS";
>
> String old = "MM/dd/yy-HH:mm:ss.SSSSSS";
>
> String dateString = "02/18-16:24:46.262900";
>
> String oldString = "02/18/17-16:24:46.262900";
>
> DateTimeFormatter df = DateTimeFormatter.ofPattern(fmt);
>
> df = df.withZone(ZoneId.systemDefault());
>
> ZonedDateTime zdt = ZonedDateTime.parse(dateString,df);
>
> System.out.println(String.format("%d",zdt.toInstant().toEpochMilli()));
>
> }
>
> }
>
>
> Old and oldString work.
>
>
> fmt and dateString don’t with exception:
>
>
> Exception in thread "main" java.time.format.DateTimeParseException: Text
> '02/18-16:24:46.262900' could not be parsed: Unable to obtain
ZonedDateTime
> from TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at
> java.time.format.DateTimeFormatter.createError(
> DateTimeFormatter.java:1920)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1855)
>
> at java.time.ZonedDateTime.parse(ZonedDateTime.java:597)
>
> at Untitled.main(Untitled 2.java:13)
>
> Caused by: java.time.DateTimeException: Unable to obtain ZonedDateTime
from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:565)
>
> at java.time.format.Parsed.query(Parsed.java:226)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1851)
>
> ... 2 more
>
> Caused by: java.time.DateTimeException: Unable to obtain LocalDate from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.LocalDate.from(LocalDate.java:368)
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:559)
>
> ... 4 more
>
>
> The snort parser doesn’t document the dateFormat override ( METRON-729 ).
> I don’t now and have not found a way to modify how snort outputs date
> string.
>
> Any ideas?
>
Re: custom date format required for snort, but not working
Posted by Otto Fowler <ot...@gmail.com>.
Actually I see it is the default now
I’ll get my lira’s straight for documenting and configuration and put that
we should document it
On February 21, 2017 at 11:04:08, Otto Fowler (ottobackwards@gmail.com)
wrote:
That is what I’m going to do in the jira
On February 21, 2017 at 10:06:24, Michael Miklavcic (
michael.miklavcic@gmail.com) wrote:
We decided at some point that given that there is an option in Snort to
enable years in the timestamp that this was the best option for handling
the dates. This should already be the default for Vagrant.
On Tue, Feb 21, 2017 at 5:59 AM, Otto Fowler <ot...@gmail.com>
wrote:
> ok -
>
> # Configure Snort to show year in timestamps
> config show_year
>
> looks like it fixed it for him.
> I create a jira to make sure this is in our default
>
> On February 20, 2017 at 16:47:29, Otto Fowler (ottobackwards@gmail.com)
> wrote:
>
> There is someone on the user list getting errors from snort, and I sent
him
> this reply:
>
> ---------
> 2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
> 02/18-16:24:46.262884 ,1,999158,0,"'snort test
> alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:
> 95:01:D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,
> 0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
> java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884'
> could
> not be parsed at index 5
>
> We are expect a date more like 01/27/16-16:01:04.877970
> So the year is missing.
>
>
> Our default date formatter for snort is defined as
> MM/dd/yy-HH:mm:ss.SSSSSS
>
> You can change this by adding “dateFormat”:”your format” to your parser
> configuration
> ——————
>
> The issue is, I can’t get this to work. I don’t think that the
> ZonedTimeDate will work if the year is missing.
>
> I tried the following test:
>
> import java.time.ZoneId;
>
> import java.time.ZonedDateTime;
>
> import java.time.format.DateTimeFormatter;
>
>
> class Untitled {
>
> public static void main(String[] args) {
>
> String fmt = "MM/dd-HH:mm:ss.SSSSSS";
>
> String old = "MM/dd/yy-HH:mm:ss.SSSSSS";
>
> String dateString = "02/18-16:24:46.262900";
>
> String oldString = "02/18/17-16:24:46.262900";
>
> DateTimeFormatter df = DateTimeFormatter.ofPattern(fmt);
>
> df = df.withZone(ZoneId.systemDefault());
>
> ZonedDateTime zdt = ZonedDateTime.parse(dateString,df);
>
> System.out.println(String.format("%d",zdt.toInstant().toEpochMilli()));
>
> }
>
> }
>
>
> Old and oldString work.
>
>
> fmt and dateString don’t with exception:
>
>
> Exception in thread "main" java.time.format.DateTimeParseException: Text
> '02/18-16:24:46.262900' could not be parsed: Unable to obtain
ZonedDateTime
> from TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at
> java.time.format.DateTimeFormatter.createError(
> DateTimeFormatter.java:1920)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1855)
>
> at java.time.ZonedDateTime.parse(ZonedDateTime.java:597)
>
> at Untitled.main(Untitled 2.java:13)
>
> Caused by: java.time.DateTimeException: Unable to obtain ZonedDateTime
from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:565)
>
> at java.time.format.Parsed.query(Parsed.java:226)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1851)
>
> ... 2 more
>
> Caused by: java.time.DateTimeException: Unable to obtain LocalDate from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.LocalDate.from(LocalDate.java:368)
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:559)
>
> ... 4 more
>
>
> The snort parser doesn’t document the dateFormat override ( METRON-729 ).
> I don’t now and have not found a way to modify how snort outputs date
> string.
>
> Any ideas?
>
Re: custom date format required for snort, but not working
Posted by Otto Fowler <ot...@gmail.com>.
That is what I’m going to do in the jira
On February 21, 2017 at 10:06:24, Michael Miklavcic (
michael.miklavcic@gmail.com) wrote:
We decided at some point that given that there is an option in Snort to
enable years in the timestamp that this was the best option for handling
the dates. This should already be the default for Vagrant.
On Tue, Feb 21, 2017 at 5:59 AM, Otto Fowler <ot...@gmail.com>
wrote:
> ok -
>
> # Configure Snort to show year in timestamps
> config show_year
>
> looks like it fixed it for him.
> I create a jira to make sure this is in our default
>
> On February 20, 2017 at 16:47:29, Otto Fowler (ottobackwards@gmail.com)
> wrote:
>
> There is someone on the user list getting errors from snort, and I sent
him
> this reply:
>
> ---------
> 2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
> 02/18-16:24:46.262884 ,1,999158,0,"'snort test
> alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:
> 95:01:D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,
> 0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
> java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884'
> could
> not be parsed at index 5
>
> We are expect a date more like 01/27/16-16:01:04.877970
> So the year is missing.
>
>
> Our default date formatter for snort is defined as
> MM/dd/yy-HH:mm:ss.SSSSSS
>
> You can change this by adding “dateFormat”:”your format” to your parser
> configuration
> ——————
>
> The issue is, I can’t get this to work. I don’t think that the
> ZonedTimeDate will work if the year is missing.
>
> I tried the following test:
>
> import java.time.ZoneId;
>
> import java.time.ZonedDateTime;
>
> import java.time.format.DateTimeFormatter;
>
>
> class Untitled {
>
> public static void main(String[] args) {
>
> String fmt = "MM/dd-HH:mm:ss.SSSSSS";
>
> String old = "MM/dd/yy-HH:mm:ss.SSSSSS";
>
> String dateString = "02/18-16:24:46.262900";
>
> String oldString = "02/18/17-16:24:46.262900";
>
> DateTimeFormatter df = DateTimeFormatter.ofPattern(fmt);
>
> df = df.withZone(ZoneId.systemDefault());
>
> ZonedDateTime zdt = ZonedDateTime.parse(dateString,df);
>
> System.out.println(String.format("%d",zdt.toInstant().toEpochMilli()));
>
> }
>
> }
>
>
> Old and oldString work.
>
>
> fmt and dateString don’t with exception:
>
>
> Exception in thread "main" java.time.format.DateTimeParseException: Text
> '02/18-16:24:46.262900' could not be parsed: Unable to obtain
ZonedDateTime
> from TemporalAccessor: {MonthOfYear=2,
DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at
> java.time.format.DateTimeFormatter.createError(
> DateTimeFormatter.java:1920)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1855)
>
> at java.time.ZonedDateTime.parse(ZonedDateTime.java:597)
>
> at Untitled.main(Untitled 2.java:13)
>
> Caused by: java.time.DateTimeException: Unable to obtain ZonedDateTime
from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:565)
>
> at java.time.format.Parsed.query(Parsed.java:226)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1851)
>
> ... 2 more
>
> Caused by: java.time.DateTimeException: Unable to obtain LocalDate from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.LocalDate.from(LocalDate.java:368)
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:559)
>
> ... 4 more
>
>
> The snort parser doesn’t document the dateFormat override ( METRON-729 ).
> I don’t now and have not found a way to modify how snort outputs date
> string.
>
> Any ideas?
>
Re: custom date format required for snort, but not working
Posted by Michael Miklavcic <mi...@gmail.com>.
We decided at some point that given that there is an option in Snort to
enable years in the timestamp that this was the best option for handling
the dates. This should already be the default for Vagrant.
On Tue, Feb 21, 2017 at 5:59 AM, Otto Fowler <ot...@gmail.com>
wrote:
> ok -
>
> # Configure Snort to show year in timestamps
> config show_year
>
> looks like it fixed it for him.
> I create a jira to make sure this is in our default
>
> On February 20, 2017 at 16:47:29, Otto Fowler (ottobackwards@gmail.com)
> wrote:
>
> There is someone on the user list getting errors from snort, and I sent him
> this reply:
>
> ---------
> 2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
> 02/18-16:24:46.262884 ,1,999158,0,"'snort test
> alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:
> 95:01:D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,
> 0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
> java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884'
> could
> not be parsed at index 5
>
> We are expect a date more like 01/27/16-16:01:04.877970
> So the year is missing.
>
>
> Our default date formatter for snort is defined as
> MM/dd/yy-HH:mm:ss.SSSSSS
>
> You can change this by adding “dateFormat”:”your format” to your parser
> configuration
> ——————
>
> The issue is, I can’t get this to work. I don’t think that the
> ZonedTimeDate will work if the year is missing.
>
> I tried the following test:
>
> import java.time.ZoneId;
>
> import java.time.ZonedDateTime;
>
> import java.time.format.DateTimeFormatter;
>
>
> class Untitled {
>
> public static void main(String[] args) {
>
> String fmt = "MM/dd-HH:mm:ss.SSSSSS";
>
> String old = "MM/dd/yy-HH:mm:ss.SSSSSS";
>
> String dateString = "02/18-16:24:46.262900";
>
> String oldString = "02/18/17-16:24:46.262900";
>
> DateTimeFormatter df = DateTimeFormatter.ofPattern(fmt);
>
> df = df.withZone(ZoneId.systemDefault());
>
> ZonedDateTime zdt = ZonedDateTime.parse(dateString,df);
>
> System.out.println(String.format("%d",zdt.toInstant().toEpochMilli()));
>
> }
>
> }
>
>
> Old and oldString work.
>
>
> fmt and dateString don’t with exception:
>
>
> Exception in thread "main" java.time.format.DateTimeParseException: Text
> '02/18-16:24:46.262900' could not be parsed: Unable to obtain ZonedDateTime
> from TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at
> java.time.format.DateTimeFormatter.createError(
> DateTimeFormatter.java:1920)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1855)
>
> at java.time.ZonedDateTime.parse(ZonedDateTime.java:597)
>
> at Untitled.main(Untitled 2.java:13)
>
> Caused by: java.time.DateTimeException: Unable to obtain ZonedDateTime from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:565)
>
> at java.time.format.Parsed.query(Parsed.java:226)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1851)
>
> ... 2 more
>
> Caused by: java.time.DateTimeException: Unable to obtain LocalDate from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.LocalDate.from(LocalDate.java:368)
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:559)
>
> ... 4 more
>
>
> The snort parser doesn’t document the dateFormat override ( METRON-729 ).
> I don’t now and have not found a way to modify how snort outputs date
> string.
>
> Any ideas?
>
Re: custom date format required for snort, but not working
Posted by Kyle Richardson <ky...@gmail.com>.
You're correct, a ZonedDateTime requires a year. I ran into this when
parsing the RFC3164 syslog timestamps.
Glad he was able to find the config option to enable the year in Snort.
-Kyle
On Tue, Feb 21, 2017 at 7:59 AM, Otto Fowler <ot...@gmail.com>
wrote:
> ok -
>
> # Configure Snort to show year in timestamps
> config show_year
>
> looks like it fixed it for him.
> I create a jira to make sure this is in our default
>
> On February 20, 2017 at 16:47:29, Otto Fowler (ottobackwards@gmail.com)
> wrote:
>
> There is someone on the user list getting errors from snort, and I sent him
> this reply:
>
> ---------
> 2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
> 02/18-16:24:46.262884 ,1,999158,0,"'snort test
> alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:
> 95:01:D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,
> 0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
> java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884'
> could
> not be parsed at index 5
>
> We are expect a date more like 01/27/16-16:01:04.877970
> So the year is missing.
>
>
> Our default date formatter for snort is defined as
> MM/dd/yy-HH:mm:ss.SSSSSS
>
> You can change this by adding “dateFormat”:”your format” to your parser
> configuration
> ——————
>
> The issue is, I can’t get this to work. I don’t think that the
> ZonedTimeDate will work if the year is missing.
>
> I tried the following test:
>
> import java.time.ZoneId;
>
> import java.time.ZonedDateTime;
>
> import java.time.format.DateTimeFormatter;
>
>
> class Untitled {
>
> public static void main(String[] args) {
>
> String fmt = "MM/dd-HH:mm:ss.SSSSSS";
>
> String old = "MM/dd/yy-HH:mm:ss.SSSSSS";
>
> String dateString = "02/18-16:24:46.262900";
>
> String oldString = "02/18/17-16:24:46.262900";
>
> DateTimeFormatter df = DateTimeFormatter.ofPattern(fmt);
>
> df = df.withZone(ZoneId.systemDefault());
>
> ZonedDateTime zdt = ZonedDateTime.parse(dateString,df);
>
> System.out.println(String.format("%d",zdt.toInstant().toEpochMilli()));
>
> }
>
> }
>
>
> Old and oldString work.
>
>
> fmt and dateString don’t with exception:
>
>
> Exception in thread "main" java.time.format.DateTimeParseException: Text
> '02/18-16:24:46.262900' could not be parsed: Unable to obtain ZonedDateTime
> from TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at
> java.time.format.DateTimeFormatter.createError(
> DateTimeFormatter.java:1920)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1855)
>
> at java.time.ZonedDateTime.parse(ZonedDateTime.java:597)
>
> at Untitled.main(Untitled 2.java:13)
>
> Caused by: java.time.DateTimeException: Unable to obtain ZonedDateTime from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:565)
>
> at java.time.format.Parsed.query(Parsed.java:226)
>
> at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1851)
>
> ... 2 more
>
> Caused by: java.time.DateTimeException: Unable to obtain LocalDate from
> TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
> resolved to 16:24:46.262900 of type java.time.format.Parsed
>
> at java.time.LocalDate.from(LocalDate.java:368)
>
> at java.time.ZonedDateTime.from(ZonedDateTime.java:559)
>
> ... 4 more
>
>
> The snort parser doesn’t document the dateFormat override ( METRON-729 ).
> I don’t now and have not found a way to modify how snort outputs date
> string.
>
> Any ideas?
>
Re: custom date format required for snort, but not working
Posted by Otto Fowler <ot...@gmail.com>.
ok -
# Configure Snort to show year in timestamps
config show_year
looks like it fixed it for him.
I create a jira to make sure this is in our default
On February 20, 2017 at 16:47:29, Otto Fowler (ottobackwards@gmail.com)
wrote:
There is someone on the user list getting errors from snort, and I sent him
this reply:
---------
2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
02/18-16:24:46.262884 ,1,999158,0,"'snort test
alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:95:01:D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884' could
not be parsed at index 5
We are expect a date more like 01/27/16-16:01:04.877970
So the year is missing.
Our default date formatter for snort is defined as MM/dd/yy-HH:mm:ss.SSSSSS
You can change this by adding “dateFormat”:”your format” to your parser
configuration
——————
The issue is, I can’t get this to work. I don’t think that the
ZonedTimeDate will work if the year is missing.
I tried the following test:
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
class Untitled {
public static void main(String[] args) {
String fmt = "MM/dd-HH:mm:ss.SSSSSS";
String old = "MM/dd/yy-HH:mm:ss.SSSSSS";
String dateString = "02/18-16:24:46.262900";
String oldString = "02/18/17-16:24:46.262900";
DateTimeFormatter df = DateTimeFormatter.ofPattern(fmt);
df = df.withZone(ZoneId.systemDefault());
ZonedDateTime zdt = ZonedDateTime.parse(dateString,df);
System.out.println(String.format("%d",zdt.toInstant().toEpochMilli()));
}
}
Old and oldString work.
fmt and dateString don’t with exception:
Exception in thread "main" java.time.format.DateTimeParseException: Text
'02/18-16:24:46.262900' could not be parsed: Unable to obtain ZonedDateTime
from TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
resolved to 16:24:46.262900 of type java.time.format.Parsed
at
java.time.format.DateTimeFormatter.createError(DateTimeFormatter.java:1920)
at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1855)
at java.time.ZonedDateTime.parse(ZonedDateTime.java:597)
at Untitled.main(Untitled 2.java:13)
Caused by: java.time.DateTimeException: Unable to obtain ZonedDateTime from
TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
resolved to 16:24:46.262900 of type java.time.format.Parsed
at java.time.ZonedDateTime.from(ZonedDateTime.java:565)
at java.time.format.Parsed.query(Parsed.java:226)
at java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1851)
... 2 more
Caused by: java.time.DateTimeException: Unable to obtain LocalDate from
TemporalAccessor: {MonthOfYear=2, DayOfMonth=18},ISO,America/New_York
resolved to 16:24:46.262900 of type java.time.format.Parsed
at java.time.LocalDate.from(LocalDate.java:368)
at java.time.ZonedDateTime.from(ZonedDateTime.java:559)
... 4 more
The snort parser doesn’t document the dateFormat override ( METRON-729 ).
I don’t now and have not found a way to modify how snort outputs date
string.
Any ideas?