Project

General

Profile

Bug #2429

TCP-session and wrong alert timestamp

Added by Andrey Kiryukhin over 1 year ago. Updated 10 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata 4.0.3 (also reproduced on suricata 3.0.2 and 4.0)

I have simple net dump, which contain one tcp-session (see attach for pcap):

In one packet (time stamp 15:04:56.042481 ) exist sample test pattern "TEST".

in my test_sig.rules:

alert tcp any any -> any any (msg: "Test sig"; content: "TEST"; sid: 9000000; classtype: unknown;)

next start suricata:

sudo suricata -c /usr/local/etc/suricata/suricata.yaml -S test_sig.rules -k none -r init_dump.pcap

result:
01/27/2018-15:05:09.915135 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999

Expected, that alert time must be 15:04:56.042481 (time of packet, containing test string), but it's time 15:05:09.915135 (corresponding to FYN packet).

I reproduce this case on different ways, such, as live replaying it on net, change ip search pattern and ip addresses, but i always got the same result - alert fix time of FIN packet, but not time of packet with pattern.


Files

init_dump.pcap (3.82 KB) init_dump.pcap Andrey Kiryukhin, 01/27/2018 06:47 AM

History

#1

Updated by Andreas Herz over 1 year ago

  • Assignee set to OISF Dev
  • Target version set to TBD
#2

Updated by Andreas Herz 10 days ago

I can confirm that with 5.0 beta, but might be even intentional to be like that?

Also available in: Atom PDF