We have run Snort where we send it packets that are in timestamp order. However, the alerts will occasionally come back out of sequence to our application.
By turning on “output alert”, we can see from the log file that alerts can be delayed. For example, we ran snort as:
/opt/capture/bin/snort -c /opt/capture/conf/snort/etc/snort.conf -i lo -S OUT_FILE=/data/working/snort/proc/99_99 -N -q &
And in /opt/capture/conf/snort/etc/snort.conf we had the line:
output alert_csv: /tmp/snortf1.csv timestamp,msg,src,srcport,dst,dstport
The CSV log file had several instances similar to this (for business reasons the exact rule texts were redacted):
04/16-02:11:06.572717 ,"Rule Type 1 Protocol Outbound Traffic",220.127.116.11,1098,18.104.22.168,51413
04/16-02:11:06.606885 ,"Rule Type 1 Protocol Outbound Traffic",22.214.171.124,25283,126.96.36.199,6881
04/16-02:11:06.609897 ,"Rule Type 1 Protocol Outbound Traffic",188.8.131.52,19973,184.108.40.206,9836
04/16-02:11:06.615137 ,"Rule Type 1 Protocol Outbound Traffic",220.127.116.11,44143,18.104.22.168,6881
04/16-01:56:08.636576 ,"Another Rule2 #2",22.214.171.124,65381,126.96.36.199,80
04/16-02:11:06.667118 ,"Rule Type 1 Protocol Outbound Traffic",188.8.131.52,8073,184.108.40.206,52241
04/16-02:11:06.673093 ,"Rule Type 1 Protocol Outbound Traffic",220.127.116.11,16119,18.104.22.168,6881
04/16-02:11:06.676153 ,"Rule Type 3",22.214.171.124,6520,126.96.36.199,123
The alert for timestamp 01:56:08 appears 15 minutes behind the ones preceding it. The original packet has the correct timestamp. I should note that this is a very busy system with multiple packets per second being generated. The user-generated rules file has about 23,000 rules.
Can I get an explanation as to how snort is processing individual packets going through the rules? I would expect to see the alerts come back in the same sequence they went in.
Thank you for any assistance. If more information is needed please let me know.