Bug #337
closedSuricata logs alerts with wrong timestamp (start of the epoch).
Description
I'm seeing alerts with timestamp "Thu Jan 1 00:00:00 1970" in both unified2 and fast alert logs.
About 20% of the entries in my logs for the last week are with this timestamp. This is for Suricata from GIT.
Here is a short sample for the logs (with the IP's masked) :
_> 01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.250:49392 -> X.X.X.4:443
09/27/2011-05:54:55.553829 [**] [1:2013295:2] ET POLICY Self Signed SSL Certificate (Snake Oil CA) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} X.X.X.227:443 -> X.X.X.7:63367
09/27/2011-05:55:08.460580 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.50:1861 -> X.X.X.4:443
09/27/2011-05:56:03.703293 [**] [1:2010904:5] ET USER_AGENTS Fake Mozilla UA Inbound (Mozilla/0.xx) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.178:53551 -> X.X.X.4:80
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.50:1924 -> X.X.X.4:443
09/27/2011-06:00:05.844775 [**] [1:2010904:5] ET USER_AGENTS Fake Mozilla UA Inbound (Mozilla/0.xx) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.196:61530 -> X.X.X.4:80
09/27/2011-06:00:55.776206 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.62:64883 -> X.X.X.4:443
09/27/2011-06:08:34.935037 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.243:56971 -> X.X.X.4:443
09/27/2011-06:09:15.765385 [**] [1:2002945:10] ET POLICY Java Url Lib User Agent Web Crawl [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} X.X.X.10:2913 -> X.X.X.4:80
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.212:47548 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.243:57413 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.111:1089 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.243:57826 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.212:32967 -> X.X.X.4:443
09/27/2011-06:39:46.487946 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.79:2085 -> X.X.X.4:443
09/27/2011-06:41:13.796010 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.176:1406 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.20:38124 -> X.X.X.4:443_
Updated by Victor Julien about 13 years ago
- Status changed from New to Assigned
- Assignee set to Anoop Saldanha
- Estimated time set to 5.00 h
@Anoop My guess would be this relates to the flow timeout code. The injected pkts probably don't have a timestamp set?
Updated by Nikolay Denev about 13 years ago
Afer applying 3ec7b7519434f900a47534b3b14bbdb630992efb I'm no longer seeing alerts with start of the epoch timestamps. Thanks!
Updated by Victor Julien about 13 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Cool, closing then. Thanks guys!
Updated by Anoop Saldanha about 13 years ago
- Estimated time changed from 5.00 h to 0.50 h