Project

General

Profile

Actions

Bug #2429

closed

TCP-session and wrong alert timestamp

Added by Andrey Kiryukhin almost 7 years ago. Updated about 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata 4.0.3 (also reproduced on suricata 3.0.2 and 4.0)

I have simple net dump, which contain one tcp-session (see attach for pcap):

pcap trace..

In one packet (time stamp 15:04:56.042481 ) exist sample test pattern "TEST".

in my test_sig.rules:

alert tcp any any -> any any (msg: "Test sig"; content: "TEST"; sid: 9000000; classtype: unknown;)

next start suricata:

sudo suricata -c /usr/local/etc/suricata/suricata.yaml -S test_sig.rules -k none -r init_dump.pcap

result:
01/27/2018-15:05:09.915135 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999

Expected, that alert time must be 15:04:56.042481 (time of packet, containing test string), but it's time 15:05:09.915135 (corresponding to FYN packet).

I reproduce this case on different ways, such, as live replaying it on net, change ip search pattern and ip addresses, but i always got the same result - alert fix time of FIN packet, but not time of packet with pattern.


Files

init_dump.pcap (3.82 KB) init_dump.pcap Andrey Kiryukhin, 01/27/2018 06:47 AM

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3480: EVE JSON - Incorrect Packet LoggedNewOISF DevActions
Actions #1

Updated by Andreas Herz almost 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Andreas Herz over 5 years ago

I can confirm that with 5.0 beta, but might be even intentional to be like that?

Actions #3

Updated by Victor Julien over 5 years ago

This is probably because TCP data is inspected when its ACKd. What if you enable IPS simulation (--simulate-ips). This will put the stream inspection in a more real time mode.

Actions #4

Updated by Andreas Herz over 5 years ago

This is w ith simulate-ips :)

01/27/2018-13:04:56.042481  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:04:56.431254  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:04:56.647552  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:04:56.826973  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:04:57.007120  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:04:58.502805  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:02.349810  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:02.582109  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:05.082504  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:05.373542  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:05.628330  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:06.014253  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:06.225345  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:06.404309  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:06.579484  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
01/27/2018-13:05:08.947010  [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999
Actions #5

Updated by Jason Ish almost 3 years ago

  • Related to Bug #3480: EVE JSON - Incorrect Packet Logged added
Actions #6

Updated by Philippe Antoine about 1 year ago

  • Status changed from New to Rejected

Working as expected.
There are other tickets about this such as #3480 if this behavior needs to be more highlighted

Actions

Also available in: Atom PDF