[Snort-devel] unified: ref_time inaccurate?

SRH-Lists giermo at ...2099...
Wed Mar 9 11:06:00 EST 2005


Background:
I am trying to build in some way (in sguil, btw) to correlate sfportscan
alerts with their associated open port alerts.  I know that the
event_ref of the open port event will be the event_id of the main
sfportscan event, but since this number resets on a snort restart, I may
get correlation of unrelated events.  No biggie, really, but I thought I
would be more throuogh and look at the ref_time field.

My understanding of this field is that it should contain the "time" of
the original event, in secs (ref_time.tv_sec) or usecs
(ref_time.tv_usec).  However, the actual values in this field appear to
have no basis in any reality.

Example:
{event_id} {event_ref} {ref_time} {gen_id} {sid} {rev} {msg} {packet
time}
Debug ref_time: 469828792
850 850 {1984-11-20 19:59:52} 122 17 0 {portscan: UDP Portscan}
{2005-03-09 17:57:50} 
Debug ref_time: 470023332
851 851 {1984-11-23 02:02:12} 1 2003 0 {MS-SQL Worm propagation attempt}
{2005-03-09 18:03:30} 
Debug ref_time: 470023332
852 852 {1984-11-23 02:02:12} 1 2050 0 {MS-SQL version overflow attempt}
{2005-03-09 18:03:30} 
Debug ref_time: 3485413720
853 853 {1944-05-07 04:00:24} 122 3 0 {portscan: TCP Portsweep}
{2005-03-09 18:06:02} 


Looking at detect.c:
  /* Note that ref_time is probably incorrect.
         * See OldUnifiedLogPacketAlert() for details. */
        logheader.event.ref_time.tv_sec = event->ref_time.tv_sec;
        logheader.event.ref_time.tv_usec = event->ref_time.tv_usec;

Well, I looked at OldUnifiedLogPacketAlert() and I don't see the
details.

So, I guess, my question is "Hey, what's up with ref_time?"

-steve




More information about the Snort-devel mailing list