Project

General

Profile

Actions

Bug #2429

closed

TCP-session and wrong alert timestamp

Added by Andrey Kiryukhin almost 7 years ago. Updated about 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata 4.0.3 (also reproduced on suricata 3.0.2 and 4.0)

I have simple net dump, which contain one tcp-session (see attach for pcap):

pcap trace..

In one packet (time stamp 15:04:56.042481 ) exist sample test pattern "TEST".

in my test_sig.rules:

alert tcp any any -> any any (msg: "Test sig"; content: "TEST"; sid: 9000000; classtype: unknown;)

next start suricata:

sudo suricata -c /usr/local/etc/suricata/suricata.yaml -S test_sig.rules -k none -r init_dump.pcap

result:
01/27/2018-15:05:09.915135 [**] [1:9000000:0] Test sig [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.56.101:35825 -> 192.168.56.102:9999

Expected, that alert time must be 15:04:56.042481 (time of packet, containing test string), but it's time 15:05:09.915135 (corresponding to FYN packet).

I reproduce this case on different ways, such, as live replaying it on net, change ip search pattern and ip addresses, but i always got the same result - alert fix time of FIN packet, but not time of packet with pattern.


Files

init_dump.pcap (3.82 KB) init_dump.pcap Andrey Kiryukhin, 01/27/2018 06:47 AM

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3480: EVE JSON - Incorrect Packet LoggedNewOISF DevActions
Actions

Also available in: Atom PDF