change timestamp handling when alertifying

We now want to provide the time of the original event that led to the
generated alert as "timestamp_event" in the produced EVE-JSON, while
updating the regular "timestamp" field with the the alertification time,
to make these two events distinguishable.

Author: satta

util/alertifier.go

@@ -112,27 +112,38 @@ func (a *Alertifier) MakeAlert(inputEvent types.Entry, ioc string,
 	}
 
 	// ensure consistent timestamp formatting: try to parse as Suricata timestamp
+	eventTimestampFormatted := newEntry.Timestamp
 	inTimestampParsed, err := time.Parse(types.SuricataTimestampFormat, newEntry.Timestamp)
 	if err != nil {
 		// otherwise try to parse without zone information
 		inTimestampParsed, err = time.Parse("2006-01-02T15:04:05.999999", newEntry.Timestamp)
 		if err == nil {
-			suriTimestampFormatted := inTimestampParsed.Format(types.SuricataTimestampFormat)
-			escapedTimestamp, err := EscapeJSON(suriTimestampFormatted)
-			if err != nil {
-				return nil, err
-			}
-			l, err = jsonparser.Set([]byte(newEntry.JSONLine), escapedTimestamp, "timestamp")
-			if err != nil {
-				return nil, err
-			}
-			newEntry.Timestamp = suriTimestampFormatted
-			newEntry.JSONLine = string(l)
+			eventTimestampFormatted = inTimestampParsed.Format(types.SuricataTimestampFormat)
 		} else {
 			log.Warningf("keeping non-offset timestamp '%s', could not be transformed: %s", newEntry.Timestamp, err.Error())
 		}
 	}
-
+	// Set received original timestamp as "timestamp_event" field
+	escapedTimestamp, err := EscapeJSON(eventTimestampFormatted)
+	if err != nil {
+		return nil, err
+	}
+	l, err = jsonparser.Set([]byte(newEntry.JSONLine), escapedTimestamp, "timestamp_event")
+	if err != nil {
+		return nil, err
+	}
+	// Add current (alerting) timestamp as "timestamp" field
+	nowTimestampEscaped, err := EscapeJSON(time.Now().UTC().Format(types.SuricataTimestampFormat))
+	if err != nil {
+		return nil, err
+	}
+	l, err = jsonparser.Set(l, []byte(nowTimestampEscaped), "timestamp")
+	if err != nil {
+		return nil, err
+	}
+	// update returned entry
+	newEntry.Timestamp = eventTimestampFormatted
+	newEntry.JSONLine = string(l)
 	return &newEntry, nil
 }
 

util/alertifier_test.go

@@ -1,7 +1,7 @@
 package util
 
 // DCSO FEVER
-// Copyright (c) 2020, DCSO GmbH
+// Copyright (c) 2020, 2021, DCSO GmbH
 
 import (
 	"encoding/json"
@@ -17,12 +17,13 @@ import (
 )
 
 func makeTestHTTPEvent(host string, url string) types.Entry {
+	testTime, _ := time.Parse("2006-Jan-02", "2013-Feb-03")
 	e := types.Entry{
 		SrcIP:      fmt.Sprintf("10.0.0.%d", rand.Intn(5)+1),
 		SrcPort:    int64(rand.Intn(60000) + 1025),
 		DestIP:     fmt.Sprintf("10.0.0.%d", rand.Intn(50)),
 		DestPort:   80,
-		Timestamp:  time.Now().Format(types.SuricataTimestampFormat),
+		Timestamp:  testTime.Format(types.SuricataTimestampFormat),
 		EventType:  "http",
 		Proto:      "TCP",
 		HTTPHost:   host,
@@ -100,6 +101,24 @@ func checkAlertifierAlerts(t *testing.T, a *types.Entry, msg string, ioc string)
 	if resAlert.ExtraInfo.VastIOC != ioc {
 		t.Fatalf("wrong ioc ('%s' <-> '%s')", resAlert.ExtraInfo.VastIOC, ioc)
 	}
+	eventTimeVal, _, _, err := jsonparser.Get([]byte(a.JSONLine), "timestamp_event")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(eventTimeVal) != "2013-02-03T00:00:00+0000" {
+		t.Fatalf("wrong event timestamp ('%s' <-> '%s')", string(eventTimeVal), "2013-02-03T00:00:00+0000")
+	}
+	alertTimeVal, _, _, err := jsonparser.Get([]byte(a.JSONLine), "timestamp")
+	if err != nil {
+		t.Fatal(err)
+	}
+	alertTime, err := time.Parse(types.SuricataTimestampFormat, string(alertTimeVal))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !alertTime.Add(48 * time.Hour).After(time.Now()) {
+		t.Fatalf("wrong alert unexpected ('%s' < '%s')", alertTime.Add(48*time.Hour), time.Now())
+	}
 }
 
 func testExtraModifier(inputAlert *types.Entry, ioc string) error {