[Oisf-users] Alert Timestamps Off/Incorrect
Jason Holmes
jholmes at psu.edu
Fri Dec 4 14:26:39 UTC 2015
Hi Andreas,
I have pulled together information that I can share off list. What's a
good email to send this to? Is there a private address that Suricata
uses for things like this?
Thanks,
--
Jason Holmes
On 12/3/15 5:59 PM, Andreas Herz wrote:
> On 03/12/15 at 16:26, Jason Holmes wrote:
>> This afternoon we detected an event via several different sensors. Two of
>> the sensors logged the event within seconds of when it happened with
>> timestamps within seconds of the corresponding network traffic. Suricata
>> received the same traffic at the same time but logged it much later and when
>> it did, the timestamps for the alerts in the fast.log were off by a
>> significant amount of time and not at all representative of when the network
>> traffic for the event occurred.
>
> How big is the time gap exactly? And in which mode are you running
> suricata?
>
>> 1. What are the timestamps that Suricata uses in its alert files
>> representative of? Are they supposed to represent when an event occurred,
>> when the log line was written, or something else?
>
> In my tests the log is written as soon as the rule matches.
>
>> 2. Is the above delayed logging behavior intended? If this behavior is not
>> intended and any of the developers would like more information to dig into
>> this, I can provide it privately.
>
> It would be helpful if you can reproduce the scenario or provide us with
> all the details/traffic to test it on our systems.
>
> Best would be a single rule and a pcap to make the test quite easy.
>
More information about the Oisf-users
mailing list