Project

General

Profile

Actions
Copy link

Bug #4755

open

eve: timestamp loses sub-second precision in some arm scenarios

Added by Jason Ish almost 4 years ago. Updated 9 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Affected Versions:
6.0.3
Effort:
Difficulty:
Label:

Description

With Suricata running in a Docker container on a Raspberry Pi 4, the eve log has no sub-second precision. I first thought this was related to some other known issues with the Docker/RaspberryPi combination, but fast.log does have sub-second precision.. For example:

10/14/2021-05:41:55.102719  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.105.5.173:80 -> 10.16.1.11:57724

vs
{"timestamp":"2021-10-14T05:41:55.000000+0000","flow_id":1102435479351953,"in_iface":"eth1","event_type":"alert","src_ip":"172.105.5.173","src_port":80,"dest_ip":"10.16.1.11","dest_port":57724,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"evebox.org","url":"/testmyids","http_user_agent":"curl/7.76.1","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"files":[{"filename":"/testmyids","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":39,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":421,"bytes_toclient":528,"start":"2021-10-14T05:41:54.000000+0000"}}

This suggests its an issue within Suricata itself.

Actions
Copy link
 #1

Updated by Philippe Antoine about 1 year ago

  • Target version set to TBD
Actions
Copy link
 #2

Updated by Philippe Antoine about 1 year ago

  • Assignee set to Community Ticket
Actions
Copy link
 #3

Updated by Philippe Antoine 9 days ago

  • Status changed from New to Feedback

Does this still happen in 8 ?

And with 

diff --git a/src/util-time.c b/src/util-time.c
index 67b3fd4944..d26c78b1ad 100644
--- a/src/util-time.c
+++ b/src/util-time.c
@@ -218,8 +218,8 @@ void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
         WinStrftime(ts, t, str, size);
 #else
         char time_fmt[64] = { 0 };
-        int64_t usec = SCTIME_USECS(ts);
-        strftime(time_fmt, sizeof(time_fmt), "%Y-%m-%dT%H:%M:%S.%%06" PRIi64 "%z", t);
+        uint32_t usec = (uint32_t)SCTIME_USECS(ts);
+        strftime(time_fmt, sizeof(time_fmt), "%Y-%m-%dT%H:%M:%S.%%06" PRIu32 "%z", t);
         snprintf(str, size, time_fmt, usec);
 #endif
     } else {

Actions
Copy link

Also available in: Atom PDF