Re: Snort Timestamps Out of Sequence

["ROTNEMER, ALAN H via Snort-devel" <snort-devel () lists snort org>]

Hello again,
Here is another example (I redacted some of the rules and IP addresses);

I ran Snort with the “-dev” option to produce a dump file.

Here is an instance where the time in the alert goes “backwards” by 441 seconds (over 7 minutes – Snort sent the alert 
over 7 minutes AFTER it received the packet)
04/22-20:58:47.112168 ,"Our rule #1",10.34.144.102,54154,10.1.33.166,53
04/22-20:51:26.838234 ,"Our rule #2",10.68.181.150,65381,10.96.144.101,80
(The alerts following the one above had timestamps of 20:58, so it is clear that the one from 20:51 was delayed for 7 
minutes.)

The packet at 04/22-20:51:26.838234, from the Snort Dump File, has this:

04/22-20:51:26.838234 00:24:DC:C6:6C:AC -> 00:90:69:FE:00:80 type:0x8100 len:0x170
10.68.181.150:65381 -> 10.96.144.101:80 TCP TTL:116 TOS:0x28 ID:13734 IpLen:20 DgmLen:350 DF
***AP*** Seq: 0x3336D25A  Ack: 0xF5F25254  Win: 0x40BF  TcpLen: 20
50 4F 53 54 20 2F 53 4D 53 5F 53 65 72 76 69 63  POST /SMS_Servic
65 2F 53 65 72 76 69 63 65 31 2E 61 73 6D 78 20  e/Service1.asmx
48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41  HTTP/1.1..User-A
67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E  gent: Mozilla/4.
30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D  0 (compatible; M
53 49 45 20 36 2E 30 3B 20 4D 53 20 57 65 62 20  SIE 6.0; MS Web
53 65 72 76 69 63 65 73 20 43 6C 69 65 6E 74 20  Services Client
50 72 6F 74 6F 63 6F 6C 20 32 2E 30 2E 35 30 37  Protocol 2.0.507
32 37 2E 35 34 38 35 29 0D 0A 43 6F 6E 74 65 6E  27.5485)..Conten
74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C  t-Type: text/xml
3B 20 63 68 61 72 73 65 74 3D 75 74 66 2D 38 0D  ; charset=utf-8.
0A 53 4F 41 50 41 63 74 69 6F 6E 3A 20 22 68 74  .SOAPAction: "ht
74 70 3A 2F 2F 77 77 77 2E 64 61 74 61 63 61 73  tp://www.datacas
68 72 65 67 2E 63 6F 6D 2F 55 70 6C 6F 61 64 57  hreg.com/UploadW
61 74 63 68 65 64 46 69 6C 65 22 0D 0A 48 6F 73  atchedFile"..Hos
74 3A 20 77 77 77 2E 64 61 74 61 63 61 73 68 72  t: www.datacashr<http://www.datacashr>
65 67 2E 6E 65 74 0D 0A 43 6F 6E 74 65 6E 74 2D  eg.net..Content-
4C 65 6E 67 74 68 3A 20 31 30 31 38 0D 0A 45 78  Length: 1018..Ex
70 65 63 74 3A 20 31 30 30 2D 63 6F 6E 74 69 6E  pect: 100-contin
75 65 0D 0A 0D 0A                                ue....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The surrounding packets in the dump file had timestamps that were within the same second as the one above. In fact, in 
the dump file there was never a “backward” movement of time stamps.

The rule that triggered this appears to be:

alert tcp any any -> any any (msg:"Our Rule #2"; content:"POST "; depth:5; content:"=="; distance: 0; 
pcre:"/\r\n\r\n.*?==[^&]+==/"; sid:815032303;)


Is there some explanation as to why the alert took over 7 minutes to publish? Could Snort be waiting on anything in 
order to complete the alert?

Thanks.


From: Joel Esler (jesler) <jesler () cisco com>
Sent: Wednesday, April 17, 2019 6:59 AM
To: ROTNEMER, ALAN H <ar435f () att com>
Cc: snort-devel () lists snort org; SMYTH, CATHERINE H <cs578j () att com>; KIESEL, BRIAN S <bk9825 () att com>
Subject: Re: [Snort-devel] Snort Timestamps Out of Sequence

Is that “out of order” alert a reassembled pseudo-packet?   You’d need to look at the packets in the alerts themselves 
to determine that. (Not csv, but you could look at something like “ -A cmg” to help diagnose this)
Sent from my  iPhone

On Apr 17, 2019, at 06:56, ROTNEMER, ALAN H via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists 
snort org>> wrote:
We have run Snort where we send it packets that are in timestamp order. However, the alerts will occasionally come back 
out of sequence to our application.
By turning on “output alert”, we can see from the log file that alerts can be delayed. For example, we ran snort as:

/opt/capture/bin/snort -c /opt/capture/conf/snort/etc/snort.conf -i lo -S OUT_FILE=/data/working/snort/proc/99_99 -N -q 
&

And in /opt/capture/conf/snort/etc/snort.conf we had the line:

output alert_csv: /tmp/snortf1.csv timestamp,msg,src,srcport,dst,dstport

The CSV log file had several instances similar to this (for business reasons the exact rule texts were redacted):

04/16-02:11:06.572717 ,"Rule Type 1 Protocol Outbound Traffic",154.45.216.145,1098,99.99.37.223,51413
04/16-02:11:06.606885 ,"Rule Type 1 Protocol Outbound Traffic",182.72.124.202,25283,108.228.86.35,6881
04/16-02:11:06.609897 ,"Rule Type 1 Protocol Outbound Traffic",94.254.163.20,19973,99.127.74.163,9836
04/16-02:11:06.615137 ,"Rule Type 1 Protocol Outbound Traffic",185.39.113.72,44143,75.35.93.63,6881
04/16-01:56:08.636576 ,"Another Rule2 #2",216.68.181.150,65381,12.96.144.101,80
04/16-02:11:06.667118 ,"Rule Type 1 Protocol Outbound Traffic",178.254.221.60,8073,99.138.149.126,52241
04/16-02:11:06.673093 ,"Rule Type 1 Protocol Outbound Traffic",196.64.27.94,16119,71.128.163.20,6881
04/16-02:11:06.676153 ,"Rule Type 3",61.220.63.0,6520,98.67.182.104,123

The alert for timestamp 01:56:08 appears 15 minutes behind the ones preceding it. The original packet has the correct 
timestamp. I should note that this is a very busy system with multiple packets per second being generated. The 
user-generated rules file has about 23,000 rules.

Can I get an explanation as to how snort is processing individual packets going through the rules? I would expect to 
see the alerts come back in the same sequence they went in.

Thank you for any assistance. If more information is needed please let me know.
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!