Bug #2429
closedTCP-session and wrong alert timestamp
Description
Suricata 4.0.3 (also reproduced on suricata 3.0.2 and 4.0)
I have simple net dump, which contain one tcp-session (see attach for pcap):
In one packet (time stamp 15:04:56.042481 ) exist sample test pattern "TEST".
in my test_sig.rules:
alert tcp any any -> any any (msg: "Test sig"; content: "TEST"; sid: 9000000; classtype: unknown;)
next start suricata:
sudo suricata -c /usr/local/etc/suricata/suricata.yaml -S test_sig.rules -k none -r init_dump.pcap
result:
01/27/2018-15:05:09.915135 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
Expected, that alert time must be 15:04:56.042481 (time of packet, containing test string), but it's time 15:05:09.915135 (corresponding to FYN packet).
I reproduce this case on different ways, such, as live replaying it on net, change ip search pattern and ip addresses, but i always got the same result - alert fix time of FIN packet, but not time of packet with pattern.
Files
Updated by Andreas Herz almost 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Andreas Herz over 5 years ago
I can confirm that with 5.0 beta, but might be even intentional to be like that?
Updated by Victor Julien over 5 years ago
This is probably because TCP data is inspected when its ACKd. What if you enable IPS simulation (--simulate-ips). This will put the stream inspection in a more real time mode.
Updated by Andreas Herz over 5 years ago
This is w ith simulate-ips :)
01/27/2018-13:04:56.042481 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:04:56.431254 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:04:56.647552 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:04:56.826973 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:04:57.007120 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:04:58.502805 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:02.349810 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:02.582109 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:05.082504 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:05.373542 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:05.628330 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:06.014253 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:06.225345 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:06.404309 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:06.579484 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999 01/27/2018-13:05:08.947010 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
Updated by Jason Ish almost 3 years ago
- Related to Bug #3480: EVE JSON - Incorrect Packet Logged added
Updated by Philippe Antoine about 1 year ago
- Status changed from New to Rejected
Working as expected.
There are other tickets about this such as #3480 if this behavior needs to be more highlighted