Date Parse Fail

wwalker · February 16, 2021, 8:02pm

Trying to ingest the below event:

{"modified": "2019-12-27 16:08:00", "published": "2015-03-08 02:59:00", "access": {"authentication": "none", "complexity": "low", "vector": "network"}, "assigner": "cve@mitre.org", "capec": [], "cvss": 5.0, "cvss-time": "2019-12-27 16:08:00", "cvss-vector": "av:n/ac:l/au:n/c:n/i:n/a:p", "cwe": "cwe-189", "id": "cve-2015-2189", "impact": {"availability": "partial", "confidentiality": "none", "integrity": "none"}, "last-modified": {"$date": 1577462880000}, "redhat": {"advisories": [{"rhsa": {"id": "rhsa-2015:1460"}}], "rpms": ["wireshark-0:1.8.10-17.el6", "wireshark-debuginfo-0:1.8.10-17.el6", "wireshark-devel-0:1.8.10-17.el6", "wireshark-gnome-0:1.8.10-17.el6", "wireshark-0:1.10.14-7.el7", "wireshark-debuginfo-0:1.10.14-7.el7", "wireshark-devel-0:1.10.14-7.el7", "wireshark-gnome-0:1.10.14-7.el7"]}, "references": ["http://advisories.mageia.org/mgasa-2015-0117.html", "http://lists.opensuse.org/opensuse-updates/2015-03/msg00038.html", "http://rhn.redhat.com/errata/rhsa-2015-1460.html", "http://www.debian.org/security/2015/dsa-3210", "http://www.mandriva.com/security/advisories?name=mdvsa-2015:183", "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html", "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "http://www.securityfocus.com/bid/72944", "http://www.securitytracker.com/id/1031858", "http://www.wireshark.org/security/wnpa-sec-2015-08.html", "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895", "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a835c85e3d662343d7283f1dcdacb8a11d1d0727", "https://security.gentoo.org/glsa/201510-03"], "refmap": {"bid": ["72944"], "confirm": ["http://advisories.mageia.org/mgasa-2015-0117.html", "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html", "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "http://www.wireshark.org/security/wnpa-sec-2015-08.html", "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895", "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a835c85e3d662343d7283f1dcdacb8a11d1d0727"], "debian": ["dsa-3210"], "gentoo": ["glsa-201510-03"], "mandriva": ["mdvsa-2015:183"], "sectrack": ["1031858"], "suse": ["opensuse-su-2015:0489"]}, "summary": "off-by-one error in the pcapng_read function in wiretap/pcapng.c in the pcapng file parser in wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via an invalid interface statistics block (isb) interface id in a crafted packet.", "vulnerable_configuration": [{"id": "cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.12:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.12:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "title": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*", "title": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "title": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "title": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "title": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "title": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*", "title": "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*"}], "vulnerable_configuration_cpe_2_2": [], "vulnerable_product": ["cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.12:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*"]}

with this config:

input {
  file {
    mode => "read"
    file_chunk_size => 512000
    path => "/*.*"
    stat_interval => 2
  }
}
filter {
  json {
    source => "message"
  }
  date {
    match => [ "published", "yyyy-MM-dd HH:mm:ss" ]
  }
}

and getting this error:

[filewatch.readmode.handlers.readfile] buffer_extract: a delimiter can't be found in current chunk, maybe there are no more delimiters or the delimiter is incorrect or the text before the delimiter, a 'line', is very large, if this message is logged often try increasing the `file_chunk_size` setting. {"delimiter"=>"\n", "read_position"=>0, "bytes_read_count"=>6905, "last_known_file_size"=>6905, "file_path"=>"/1cve.json"}

I have a dataset of over 46k events and three of these have this date parse failure. These three events are not the longest events, nor do they come at the beginning or end of a file...so I'm not sure what the problem is. All these events actually reside in a single file.

What am I missing??

Badger · February 16, 2021, 8:13pm

The error tells you that you have a file called "/1cve.json" that is 6,905 bytes long, that the input has consumed 6,905 bytes (i.e. the entire file) but it has not found a newline. I suggest you take a close look at that file.

wwalker · February 19, 2021, 6:55pm

The error is from me pulling the event out of the big file and sticking it in 1cve.json. I've ensured it's encoding is UTF8 and Notepad++ shows it's properly formatted JSON. I'm really at a loss for where the issue is. Below is the full event, maybe someone can see what I'm missing?

{"Modified": "2019-12-27 16:08:00", "Published": "2015-03-08 02:59:00", "access": {"authentication": "NONE", "complexity": "LOW", "vector": "NETWORK"}, "assigner": "cve@mitre.org", "capec": [], "cvss": 5.0, "cvss-time": "2019-12-27 16:08:00", "cvss-vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "cwe": "CWE-189", "id": "CVE-2015-2189", "impact": {"availability": "PARTIAL", "confidentiality": "NONE", "integrity": "NONE"}, "last-modified": {"$date": 1577462880000}, "redhat": {"advisories": [{"rhsa": {"id": "RHSA-2015:1460"}}], "rpms": ["wireshark-0:1.8.10-17.el6", "wireshark-debuginfo-0:1.8.10-17.el6", "wireshark-devel-0:1.8.10-17.el6", "wireshark-gnome-0:1.8.10-17.el6", "wireshark-0:1.10.14-7.el7", "wireshark-debuginfo-0:1.10.14-7.el7", "wireshark-devel-0:1.10.14-7.el7", "wireshark-gnome-0:1.10.14-7.el7"]}, "references": ["http://advisories.mageia.org/MGASA-2015-0117.html", "http://lists.opensuse.org/opensuse-updates/2015-03/msg00038.html", "http://rhn.redhat.com/errata/RHSA-2015-1460.html", "http://www.debian.org/security/2015/dsa-3210", "http://www.mandriva.com/security/advisories?name=MDVSA-2015:183", "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html", "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "http://www.securityfocus.com/bid/72944", "http://www.securitytracker.com/id/1031858", "http://www.wireshark.org/security/wnpa-sec-2015-08.html", "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895", "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a835c85e3d662343d7283f1dcdacb8a11d1d0727", "https://security.gentoo.org/glsa/201510-03"], "refmap": {"bid": ["72944"], "confirm": ["http://advisories.mageia.org/MGASA-2015-0117.html", "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html", "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "http://www.wireshark.org/security/wnpa-sec-2015-08.html", "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895", "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a835c85e3d662343d7283f1dcdacb8a11d1d0727"], "debian": ["DSA-3210"], "gentoo": ["GLSA-201510-03"], "mandriva": ["MDVSA-2015:183"], "sectrack": ["1031858"], "suse": ["openSUSE-SU-2015:0489"]}, "summary": "Off-by-one error in the pcapng_read function in wiretap/pcapng.c in the pcapng file parser in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via an invalid Interface Statistics Block (ISB) interface ID in a crafted packet.", "vulnerable_configuration": [{"id": "cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.12:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.12:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "title": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*", "title": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "title": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "title": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "title": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "title": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*", "title": "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*"}], "vulnerable_configuration_cpe_2_2": [], "vulnerable_product": ["cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.12:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:solaris:112:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*"]}

system · March 19, 2021, 6:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.