Project

General

Profile

Actions

Bug #4755

open

eve: timestamp loses sub-second precision in some arm scenarios

Added by Jason Ish about 3 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

With Suricata running in a Docker container on a Raspberry Pi 4, the eve log has no sub-second precision. I first thought this was related to some other known issues with the Docker/RaspberryPi combination, but fast.log does have sub-second precision.. For example:

10/14/2021-05:41:55.102719  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.105.5.173:80 -> 10.16.1.11:57724

vs
{"timestamp":"2021-10-14T05:41:55.000000+0000","flow_id":1102435479351953,"in_iface":"eth1","event_type":"alert","src_ip":"172.105.5.173","src_port":80,"dest_ip":"10.16.1.11","dest_port":57724,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"evebox.org","url":"/testmyids","http_user_agent":"curl/7.76.1","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"files":[{"filename":"/testmyids","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":39,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":421,"bytes_toclient":528,"start":"2021-10-14T05:41:54.000000+0000"}}

This suggests its an issue within Suricata itself.

Actions

Also available in: Atom PDF