[Oisf-users] Alert Timestamps Off/Incorrect

[Andreas Herz]

On 03/12/15 at 16:26, Jason Holmes wrote:
> This afternoon we detected an event via several different sensors.  Two of
> the sensors logged the event within seconds of when it happened with
> timestamps within seconds of the corresponding network traffic. Suricata
> received the same traffic at the same time but logged it much later and when
> it did, the timestamps for the alerts in the fast.log were off by a
> significant amount of time and not at all representative of when the network
> traffic for the event occurred.

How big is the time gap exactly? And in which mode are you running
suricata?

> 1. What are the timestamps that Suricata uses in its alert files
> representative of?  Are they supposed to represent when an event occurred,
> when the log line was written, or something else?

In my tests the log is written as soon as the rule matches.

> 2. Is the above delayed logging behavior intended?  If this behavior is not
> intended and any of the developers would like more information to dig into
> this, I can provide it privately.

It would be helpful if you can reproduce the scenario or provide us with
all the details/traffic to test it on our systems.

Best would be a single rule and a pcap to make the test quite easy.

-- 
Andreas Herz