Support #3104
closedeve-nsm log of flow has timestamp much later than flow end
Description
I'm experimenting with suricata and examining flow logging in eve-nsm.json, and occasionally a flow is logged with a timestamp that is much later (hours or days later) than the flow end.
I've looked for issues in my system logs and suricata logs and found no indications of resource issues or suricata errors.
I've looked through bugs and not found any specifically tied to this kind of problem, though I have noticed some bugs related to deadlocks in the past.
Am I misunderstanding the data, or is this an indication that suricata (or one of its threads) is hanging for a long time before logging a finished flow?
Also, lmk if there is a better forum to ask this.
Here's an example json record (ip addresses removed):
{
"timestamp": "2019-08-01T14:49:27.001024+0000",
"flow_id": 110494497537784,
"event_type": "flow",
"src_ip": "x.x.x.x",
"src_port": 54150,
"dest_ip": "y.y.y.y",
"dest_port": 443,
"proto": "TCP",
"app_proto": "tls",
"flow": {
"pkts_toserver": 28,
"pkts_toclient": 11,
"bytes_toserver": 4392,
"bytes_toclient": 6954,
"start": "2019-07-31T20:59:50.818936+0000",
"end": "2019-07-31T21:01:47.119398+0000",
"age": 117,
"state": "established",
"reason": "timeout",
"alerted": false
},
"tcp": {
"tcp_flags": "1b",
"tcp_flags_ts": "1b",
"tcp_flags_tc": "1a",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"state": "close_wait"
}
}
TIA
Files