Hello,

Did anyone find the cause of this issue? I might have the same issue.

Startup command:

snort --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:0@2 --daq-var clusterid=0 --daq-var bindcpu=2

Version:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.12 GRE (Build 325)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

I use pf_ring zc behind a fiber tap.

Bro is running on a second copy of the same packets, and is properly adding timestamps to all registered connections / packets.


Jan Hugo Prins



On 7/3/17 4:58 PM, Dimz via Snort-users wrote:
Hi,

I create an autostart script:
/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -Q -D -m 120

This is the snort version:
dimz@ubuntu:/var/log/snort$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.9.0 GRE (Build 56)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.40 2017-01-11
           Using ZLIB version: 1.2.8

Thanks,

-Dimz-



On Monday, July 3, 2017, 9:52:52 PM GMT+7, Al Lewis (allewi) <allewi@cisco.com> wrote:


Hello,

What command are you using to start snort?

What version of snort are you using?

Albert Lewis

ENGINEER.SOFTWARE ENGINEERING

SOURCEfire, Inc. now part of Cisco

Email: allewi@cisco.com 


From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of Dimz via Snort-users <snort-users@lists.snort.org>
Reply-To: Dimz <dimas_forever@yahoo.com>
Date: Monday, July 3, 2017 at 6:57 AM
To: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: [Snort-users] Snort Alert is Not Producing Any Timestamp

Hi Everybody,

I installed my snort 2.9 on Ubuntu server 16.04 on my VM. I installed my snort inline using NFQ from the following guide: http://sublimerobots.com/2017/06/snort-ips-with-nfq-routing-on-ubuntu/

The installation and the routing is successful, the ubuntu can forward packets and the snort can detect traffics. The only problem is, the alerts generated has no timestamp.

Attached is the snort --daq-list
dimz@ubuntu:/var/log/snort$ snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
 

The snort.conf:
config daq: nfq
config daq_dir: /usr/local/lib/daq
config daq_mode: inline
config daq_var: queue=4 


The iptables:
dimz@ubuntu:/var/log/snort$ sudo iptables -vL
Chain INPUT (policy ACCEPT 2149 packets, 164K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   16  1514 NFQUEUE    all  --  any    any     anywhere             anywhere             NFQUEUE num 4 bypass

Chain OUTPUT (policy ACCEPT 2046 packets, 173K bytes)
pkts bytes target     prot opt in     out     source               destination 


The NAT iptables (for port forwarding a web server behind Snort machine):
dimz@ubuntu:/var/log/snort$ sudo iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 61 packets, 5536 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:http-alt to:192.168.2.103:8080

Chain INPUT (policy ACCEPT 10 packets, 1888 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 484 packets, 30252 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 485 packets, 30336 bytes)
pkts bytes target     prot opt in     out     source               destination
    2   202 MASQUERADE  all  --  any    ens33   anywhere             anywhere 


The server epoch time:
dimz@ubuntu:/var/log/snort$ date +'%s'
1499079069


result from tcpdump (the timestamp is correct):
dimz@ubuntu:/var/log/snort$ sudo tcpdump -i ens33 dst host 192.168.2.103
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
17:51:58.297893 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 1, length 64
17:51:59.300042 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 2, length 64
17:52:00.304461 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 3, length 64
17:52:01.305757 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 4, length 64 


I output my snort alert into 2 outputs: alert.full and snort.u2. Here is the output from alert.full (I create a simple Ping Detection Rule):
dimz@ubuntu:/var/log/snort$ tail -f alert.full
01/01-07:00:00.000000 192.168.174.129 -> 192.168.2.103
ICMP TTL:63 TOS:0x0 ID:17418 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:2379   Seq:3  ECHO

[**] [1:10000001:1] ICMP Test Detected [**]
[Classification: Generic ICMP event] [Priority: 3]
01/01-07:00:00.000000 192.168.174.129 -> 192.168.2.103
ICMP TTL:63 TOS:0x0 ID:17470 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:2379   Seq:4  ECHO 


Here is the output from snort.u2:
(Event)
        sensor id: 0    event id: 7     event second: 0 event microsecond: 0
        sig id: 10000001        gen id: 1       revision: 1      classification: 31
        priority: 3     ip source: 192.168.174.129      ip destination: 192.168.2.103
        src port: 8     dest port: 0    protocol: 1     impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 7     event second: 0
        packet second: 0        packet microsecond: 0
        linktype: 228   packet_length: 84
[    0] 45 00 00 54 44 3E 40 00 3F 01 C5 31 C0 A8 AE 81  E..TD>@.?..1....
[   16] C0 A8 02 67 08 00 2E 91 09 4B 00 04 6E 21 5A 59  ...g.....K..n!ZY
[   32] 00 00 00 00 33 D2 05 00 00 00 00 00 10 11 12 13  ....3...........
[   48] 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23  ............ !"#
[   64] 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33  $%&'()*+,-./0123
[   80] 34 35 36 37                                      4567 



Why timestamp is not detected???

Need Help please.
I have been dealing with this issue for days, and I have been trying to do intensive google search to find similar issue but still no luck.

Thank you very much.

-Dimz-

_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!