[Snort-devel] Snort Timestamps Out of Sequence

Joel Esler (jesler) jesler at cisco.com
Wed Apr 17 06:59:16 EDT 2019


Is that “out of order” alert a reassembled pseudo-packet?   You’d need to look at the packets in the alerts themselves to determine that. (Not csv, but you could look at something like “ -A cmg” to help diagnose this)

Sent from my  iPhone

> On Apr 17, 2019, at 06:56, ROTNEMER, ALAN H via Snort-devel <snort-devel at lists.snort.org> wrote:
> 
> We have run Snort where we send it packets that are in timestamp order. However, the alerts will occasionally come back out of sequence to our application.
> By turning on “output alert”, we can see from the log file that alerts can be delayed. For example, we ran snort as:
>  
> /opt/capture/bin/snort -c /opt/capture/conf/snort/etc/snort.conf -i lo -S OUT_FILE=/data/working/snort/proc/99_99 -N -q &
>  
> And in /opt/capture/conf/snort/etc/snort.conf we had the line:
>  
> output alert_csv: /tmp/snortf1.csv timestamp,msg,src,srcport,dst,dstport
>  
> The CSV log file had several instances similar to this (for business reasons the exact rule texts were redacted):
>  
> 04/16-02:11:06.572717 ,"Rule Type 1 Protocol Outbound Traffic",154.45.216.145,1098,99.99.37.223,51413
> 04/16-02:11:06.606885 ,"Rule Type 1 Protocol Outbound Traffic",182.72.124.202,25283,108.228.86.35,6881
> 04/16-02:11:06.609897 ,"Rule Type 1 Protocol Outbound Traffic",94.254.163.20,19973,99.127.74.163,9836
> 04/16-02:11:06.615137 ,"Rule Type 1 Protocol Outbound Traffic",185.39.113.72,44143,75.35.93.63,6881
> 04/16-01:56:08.636576 ,"Another Rule2 #2",216.68.181.150,65381,12.96.144.101,80
> 04/16-02:11:06.667118 ,"Rule Type 1 Protocol Outbound Traffic",178.254.221.60,8073,99.138.149.126,52241
> 04/16-02:11:06.673093 ,"Rule Type 1 Protocol Outbound Traffic",196.64.27.94,16119,71.128.163.20,6881
> 04/16-02:11:06.676153 ,"Rule Type 3",61.220.63.0,6520,98.67.182.104,123
>  
> The alert for timestamp 01:56:08 appears 15 minutes behind the ones preceding it. The original packet has the correct timestamp. I should note that this is a very busy system with multiple packets per second being generated. The user-generated rules file has about 23,000 rules.
>  
> Can I get an explanation as to how snort is processing individual packets going through the rules? I would expect to see the alerts come back in the same sequence they went in.
>  
> Thank you for any assistance. If more information is needed please let me know.
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190417/9b3422b3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190417/9b3422b3/attachment.bin>


More information about the Snort-devel mailing list