[Bro] question about printing timestamps
Hartley, Christopher J.
hartley.87 at osu.edu
Wed Mar 16 11:27:21 PDT 2011
fwiw, an equivalent to strptime would be very helpful. I guess it gets into the philosophy
of what Bro should do and what should be a part of a log management solution. The
case where this came up was in smtp Received: headers. I'd like Bro to determine
whether a message is a retransmission based on comparing network_time() to the
date in the header -- mind this is irritating because those headers can be more or less
Stamp = From-domain By-domain Opt-info ";" FWS date-time
; where "date-time" is as defined in 
; but the "obs-" forms, especially two-digit
; years, are prohibited in SMTP and MUST NOT be used.
That, from the RFC (2821) should make it pretty easy to find and strptime the format, although
it may also need to be able to try several candidate formats....
The more I look at it, the more comfortable I am with it:
RFC 2821, 3.3. Date and Time Specification
date-time = [ day-of-week "," ] date FWS time [CFWS]
day-of-week = ([FWS] day-name) / obs-day-of-week
day-name = "Mon" / "Tue" / "Wed" / "Thu" /
"Fri" / "Sat" / "Sun"
date = day month year
year = 4*DIGIT / obs-year
month = (FWS month-name FWS) / obs-month
month-name = "Jan" / "Feb" / "Mar" / "Apr" /
"May" / "Jun" / "Jul" / "Aug" /
"Sep" / "Oct" / "Nov" / "Dec"
day = ([FWS] 1*2DIGIT) / obs-day
time = time-of-day FWS zone
time-of-day = hour ":" minute [ ":" second ]
hour = 2DIGIT / obs-hour
minute = 2DIGIT / obs-minute
second = 2DIGIT / obs-second
zone = (( "+" / "-" ) 4DIGIT) / obs-zone
So yeah, a strptime() would be pretty helpful, I haven't spent enough time to grock the
Bro policy script parser to see how hard it would be to add...
Oh, why do I want to check for retransmissions? Our silly mail server tries
very hard to deliver spam, retrying frequently for ~ 48 hrs. Hopefully not
a common problem! But there are likely other uses..
At this point I'm waiting for someone to respond, "Actually, there is a strptime..."
On Mar 16, 2011, at 1:57 PM, Seth Hall wrote:
I received a question privately about formatting timestamps in a human readable manner the other day and I thought I'd answer the question a bit more publicly.
To format "time" values as human readable, you can use either %D or %T in calls to fmt(). Like this:
Hopefully this helps someone. We'll try to make sure that things like this will be documented for the next release.
International Computer Science Institute
(Bro) because everyone has a network
Bro mailing list
bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro