I received a question privately about formatting timestamps in a human readable manner the other day and I thought I'd answer the question a bit more publicly.
To format "time" values as human readable, you can use either %D or %T in calls to fmt(). Like this:
fmt("%D", network_time());
Hopefully this helps someone. We'll try to make sure that things like this will be documented for the next release.
.Seth
fwiw, an equivalent to strptime would be very helpful. I guess it gets into the philosophy
of what Bro should do and what should be a part of a log management solution. The
case where this came up was in smtp Received: headers. I’d like Bro to determine
whether a message is a retransmission based on comparing network_time() to the
date in the header – mind this is irritating because those headers can be more or less
arbitrary …
Stamp = From-domain By-domain Opt-info ";" FWS date-time
; where "date-time" is as defined in [32]
; but the "obs-" forms, especially two-digit
; years, are prohibited in SMTP and MUST NOT be used.
That, from the RFC (2821) should make it pretty easy to find and strptime the format, although
it may also need to be able to try several candidate formats…
The more I look at it, the more comfortable I am with it:
RFC 2821, 3.3. Date and Time Specification
…
date-time = [ day-of-week “,” ] date FWS time [CFWS]
day-of-week = ([FWS] day-name) / obs-day-of-week
day-name = "Mon" / "Tue" / "Wed" / "Thu" /
"Fri" / "Sat" / "Sun"
date = day month year
year = 4*DIGIT / obs-year
month = (FWS month-name FWS) / obs-month
month-name = "Jan" / "Feb" / "Mar" / "Apr" /
"May" / "Jun" / "Jul" / "Aug" /
"Sep" / "Oct" / "Nov" / "Dec"
day = ([FWS] 1*2DIGIT) / obs-day
time = time-of-day FWS zone
time-of-day = hour ":" minute [ ":" second ]
hour = 2DIGIT / obs-hour
minute = 2DIGIT / obs-minute
second = 2DIGIT / obs-second
zone = (( "+" / "-" ) 4DIGIT) / obs-zone
So yeah, a strptime() would be pretty helpful, I haven’t spent enough time to grock the
Bro policy script parser to see how hard it would be to add…
Oh, why do I want to check for retransmissions? Our silly mail server tries
very hard to deliver spam, retrying frequently for ~ 48 hrs. Hopefully not
a common problem! But there are likely other uses…
At this point I’m waiting for someone to respond, “Actually, there is a strptime…”
Chris
Heh, I wish I could tell you that. File a ticket and we'll see if we can do a strptime built in function that basically just wraps the C function. It seems like it should be fairly straight forward. No promises on the next release, but if it's filed we'll certainly consider it.
.Seth