Project

General

Profile

Actions

Bug #2407

closed

Fix timestamp offline when pcap timestamp is zero

Added by Maurizio Abba over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In offline mode, if the pcap starting timestamp is 0, localtime will never be updated. This prevent setting cause cached_minutes_start and cached_local_time array in util-time.c.

The issue with this behavior is that timestamp will be skipped whenever is needed.

The solution is to force setting the timestamp when cached_minute_start (in both mru and lru position) is zero (i.e, it's never been set before). Doing this will allow us to remove the check in the localtime_r call, as it's returned value will never be NULL.


Files

fix-timestamp-offline.pcap (2.77 KB) fix-timestamp-offline.pcap pcap downloading a generic .exe Maurizio Abba, 01/11/2018 08:32 AM
Actions #1

Updated by Maurizio Abba over 3 years ago

Proof of bug:

1) setting a rule to
alert http any any -> any any (msg:"generic HTTP"; flow:established; content:"HTTP"; threshold: type limit, track by_src, count 5, seconds 180; sid:101; rev:1;)

2) Enable fast.log

3) run the attached pcap

expected behavior:

Content of the fast.log

01/01/1970-00:00:25.604731  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:40935 -> 37.58.69.140:80
01/01/1970-00:00:14.606462  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:38558 -> 91.189.94.25:80
01/01/1970-00:00:25.606468  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 37.58.69.140:80 -> 192.168.1.60:40935
01/01/1970-00:00:25.200630  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:58468 -> 216.34.181.59:80
01/01/1970-00:00:26.509235  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 216.34.181.59:80 -> 192.168.1.60:58468
01/01/1970-00:00:29.617101  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.94.25:80 -> 192.168.1.60:38558
01/01/1970-00:00:53.820300  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.832951  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:00:53.833516  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.833516  [**] [1:102:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.833516  [**] [1:103:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.835299  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:00:54.080403  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:00:54.091562  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:01:20.313349  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.95.36:80 -> 192.168.1.60:38407

obtained behavior

53.820300  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
25.604731  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:40935 -> 37.58.69.140:80
14.606462  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:38558 -> 91.189.94.25:80
53.832951  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
29.617101  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.94.25:80 -> 192.168.1.60:38558
25.606468  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 37.58.69.140:80 -> 192.168.1.60:40935
25.200630  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:58468 -> 216.34.181.59:80
26.509235  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 216.34.181.59:80 -> 192.168.1.60:58468
53.833516  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
53.833516  [**] [1:102:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
53.833516  [**] [1:103:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
53.835299  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
54.080403  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
54.091562  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-01:01:20.313349  [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.95.36:80 -> 192.168.1.60:38407
Actions #2

Updated by Maurizio Abba over 3 years ago

  • Status changed from New to Assigned
Actions #3

Updated by Andreas Herz over 3 years ago

  • Target version set to TBD
Actions #4

Updated by Victor Julien over 3 years ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 4.1beta1
Actions

Also available in: Atom PDF