Bug #2407: Fix timestamp offline when pcap timestamp is zero - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2407

closed

Fix timestamp offline when pcap timestamp is zero

Added by Maurizio Abba over 6 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Maurizio Abba

Target version:

4.1beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

In offline mode, if the pcap starting timestamp is 0, localtime will never be updated. This prevent setting cause cached_minutes_start and cached_local_time array in util-time.c.

The issue with this behavior is that timestamp will be skipped whenever is needed.

The solution is to force setting the timestamp when cached_minute_start (in both mru and lru position) is zero (i.e, it's never been set before). Doing this will allow us to remove the check in the localtime_r call, as it's returned value will never be NULL.

Files

fix-timestamp-offline.pcap (2.77 KB) fix-timestamp-offline.pcap

pcap downloading a generic .exe

Maurizio Abba, 01/11/2018 08:32 AM

Actions

Copy link

Updated by Maurizio Abba over 6 years ago

File fix-timestamp-offline.pcap fix-timestamp-offline.pcap added

Proof of bug:

1) setting a rule to
alert http any any -> any any (msg:"generic HTTP"; flow:established; content:"HTTP"; threshold: type limit, track by_src, count 5, seconds 180; sid:101; rev:1;)

2) Enable fast.log

3) run the attached pcap

expected behavior:

Content of the fast.log

01/01/1970-00:00:25.604731  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:40935 -> 37.58.69.140:80
01/01/1970-00:00:14.606462  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:38558 -> 91.189.94.25:80
01/01/1970-00:00:25.606468  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 37.58.69.140:80 -> 192.168.1.60:40935
01/01/1970-00:00:25.200630  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:58468 -> 216.34.181.59:80
01/01/1970-00:00:26.509235  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 216.34.181.59:80 -> 192.168.1.60:58468
01/01/1970-00:00:29.617101  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.94.25:80 -> 192.168.1.60:38558
01/01/1970-00:00:53.820300  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.832951  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:00:53.833516  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.833516  [**] [1:102:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.833516  [**] [1:103:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.835299  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:00:54.080403  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:00:54.091562  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:01:20.313349  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.95.36:80 -> 192.168.1.60:38407

obtained behavior

53.820300  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
25.604731  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:40935 -> 37.58.69.140:80
14.606462  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:38558 -> 91.189.94.25:80
53.832951  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
29.617101  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.94.25:80 -> 192.168.1.60:38558
25.606468  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 37.58.69.140:80 -> 192.168.1.60:40935
25.200630  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:58468 -> 216.34.181.59:80
26.509235  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 216.34.181.59:80 -> 192.168.1.60:58468
53.833516  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
53.833516  [**] [1:102:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
53.833516  [**] [1:103:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
53.835299  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
54.080403  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
54.091562  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-01:01:20.313349  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.95.36:80 -> 192.168.1.60:38407

Actions

Copy link