[Snort-devel] different timestamps in unified and unified2

Gregory S Thomas greg.thomas at ...15...
Fri Mar 6 16:30:30 EST 2009


While testing some new code that processes unified2 alerts from snort, we noticed that the timestamps for the alerts from reassembled packets differed slightly between unified and unified2.  I poked around the source code for snort-2.8.3.2 and found an interesting difference.

In RealUnifiedLogAlert() in src/output-plugins/spo_unified.c:

        alertdata.ts.tv_sec = (u_int32_t)p->pkth->ts.tv_sec;
        alertdata.ts.tv_usec = (u_int32_t)p->pkth->ts.tv_usec;

        if((p->packet_flags & PKT_REBUILT_STREAM) && stream_api)
        {
            DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n"););

            stream_api->traverse_reassembled(p, UnifiedFirstPacketCallback, &alertdata);

       }

In _AlertIP4() in src/output-plugins/spo_unified2.c:

    alertdata.event_second = htonl(event->ref_time.tv_sec);
    alertdata.event_microsecond = htonl(event->ref_time.tv_usec);

        if((p->packet_flags & PKT_REBUILT_STREAM) && stream_api)
        {
            DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n"););
            /*stream_api->traverse_reassembled(p, Unified2FirstPacketCallback, &alertdata);*/
        }

The UnifiedFirstPacketCallback() and Unified2FirstPacketCallback() functions both reset the timestamp in the alertdata struct to the timestamp of each packet in the stream.  Since the call to Unified2FirstPacketCallback() via stream_api->traverse_reassembled() is commented out, though, the timestamp of the unified2 alert is never updated.

Why is this line in spo_unified2.c commented out?  In snort-2.8.4.rc1, it's fixed.

Thanks,

-- greg




More information about the Snort-devel mailing list