Bug #2407
closed
Fix timestamp offline when pcap timestamp is zero
Added by Maurizio Abba over 6 years ago.
Updated about 6 years ago.
Description
In offline mode, if the pcap starting timestamp is 0, localtime will never be updated. This prevent setting cause cached_minutes_start and cached_local_time array in util-time.c.
The issue with this behavior is that timestamp will be skipped whenever is needed.
The solution is to force setting the timestamp when cached_minute_start (in both mru and lru position) is zero (i.e, it's never been set before). Doing this will allow us to remove the check in the localtime_r call, as it's returned value will never be NULL.
Files
Proof of bug:
1) setting a rule to
alert http any any -> any any (msg:"generic HTTP"; flow:established; content:"HTTP"; threshold: type limit, track by_src, count 5, seconds 180; sid:101; rev:1;)
2) Enable fast.log
3) run the attached pcap
expected behavior:
Content of the fast.log
01/01/1970-00:00:25.604731 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:40935 -> 37.58.69.140:80
01/01/1970-00:00:14.606462 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:38558 -> 91.189.94.25:80
01/01/1970-00:00:25.606468 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 37.58.69.140:80 -> 192.168.1.60:40935
01/01/1970-00:00:25.200630 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:58468 -> 216.34.181.59:80
01/01/1970-00:00:26.509235 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 216.34.181.59:80 -> 192.168.1.60:58468
01/01/1970-00:00:29.617101 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.94.25:80 -> 192.168.1.60:38558
01/01/1970-00:00:53.820300 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.832951 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:00:53.833516 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.833516 [**] [1:102:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.833516 [**] [1:103:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
01/01/1970-00:00:53.835299 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:00:54.080403 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:00:54.091562 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-00:01:20.313349 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.95.36:80 -> 192.168.1.60:38407
obtained behavior
53.820300 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
25.604731 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:40935 -> 37.58.69.140:80
14.606462 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:38558 -> 91.189.94.25:80
53.832951 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
29.617101 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.94.25:80 -> 192.168.1.60:38558
25.606468 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 37.58.69.140:80 -> 192.168.1.60:40935
25.200630 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:58468 -> 216.34.181.59:80
26.509235 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 216.34.181.59:80 -> 192.168.1.60:58468
53.833516 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
53.833516 [**] [1:102:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
53.833516 [**] [1:103:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.60:47099 -> 46.43.34.31:80
53.835299 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
54.080403 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
54.091562 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 46.43.34.31:80 -> 192.168.1.60:47099
01/01/1970-01:01:20.313349 [**] [1:101:1] generic HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 91.189.95.36:80 -> 192.168.1.60:38407
- Status changed from New to Assigned
- Target version set to TBD
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1beta1
Also available in: Atom
PDF