You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/08/25 18:07:20 UTC

[jira] [Commented] (METRON-395) Metron Bro parser not parsing some timestamp values

    [ https://issues.apache.org/jira/browse/METRON-395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15437354#comment-15437354 ] 

ASF GitHub Bot commented on METRON-395:
---------------------------------------

GitHub user mmiklavc opened a pull request:

    https://github.com/apache/incubator-metron/pull/232

    METRON-395 Fix Metron Bro parser not parsing some timestamp values

    This PR addresses https://issues.apache.org/jira/browse/METRON-395
    
    This fix corrects the BasicBroParser so that it will properly handle Double timestamp values that have less than 3 digits, e.g. 123.0, 123.1, 123.11. In the previous examples, the current code would throw an index out of bounds exception.
    
    Verified in full-dev-platform.
    
    **Testing:**
    
    - Deploy the bro parser topology.
    - Add a record to dns.log or http.log with a ts value that has less than 3 significant decimal places.
    - Confirm the record(s) make it into indexing.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/mmiklavc/incubator-metron METRON-395

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-metron/pull/232.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #232
    
----
commit 4e227eebbd174a262401f37d982a9a6acba71a41
Author: Michael Miklavcic <mi...@gmail.com>
Date:   2016-08-25T18:01:55Z

    METRON-395 Fix Metron Bro parser not parsing some timestamp values

----


> Metron Bro parser not parsing some timestamp values
> ---------------------------------------------------
>
>                 Key: METRON-395
>                 URL: https://issues.apache.org/jira/browse/METRON-395
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Michael Miklavcic
>            Assignee: Michael Miklavcic
>
>  The bro parser fails to parse the following type of event:
> {"http": {"ts":1467657279.0,"uid":"CMYLzP3PKiwZAgBa51","id.orig_h":"192.168.138.158","id.orig_p":49206,"id.resp_h":"95.163.121.204", 
> "id.resp_p":80,"trans_depth":2,"method":"GET","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","uri":"/img/flags/it.png","referrer":"http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","request_body_len":0,"response_body_len":552,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F3m7vB2RjUe4n01aqj"],"resp_mime_types":["image/png"]}} 
> In the current code, timestamps are converted to millis as a long and performing the substring(0, 13) operation on a Double value such as 1467657279.0 as a string will cause an index out of bounds exception.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)