Bug #5386: detect/threshold: offline time handling issue
detect/threshold: offline time handling issue (6.0.x backports)
Due to the TIMEVAL_DIFF_SEC calculating the delta into an unsigned
integer, it would underflow to a high positive value leading to
an incorrect result if the packet timestamp was below the timestamp
for the threshold entry.
In normal conditions, this shouldn't happen,
but in offline mode, each thread has its own concept of time which
might differ significantly based on the pcap. In this case the
overflow would be very common.
(Taken from the commit message for the fix, as seen in the WIP PR https://github.com/OISF/suricata/pull/7501 )
Updated by Juliana Fajardini Reichow 12 months ago
- Subject changed from detect/threshold: offline time handling issue (6.0. backports) to detect/threshold: offline time handling issue (6.0.x backports)
Updated by Victor Julien 12 months ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Victor Julien