Snort mailing list archives
Re: Snort Timestamps Out of Sequence
From: "ROTNEMER, ALAN H via Snort-devel" <snort-devel () lists snort org>
Date: Wed, 22 May 2019 19:13:52 +0000
Hey Joel, After looking at our packets and discussing this with my development and analyst groups, I guess there is just one thing I need to know:
From what you have said in your replies, there appears to be "conditions" where Snort will receive a packet, and, for whatever reasons, delay sending the alert. It could be something about the packet, or something about the rule. My customer has had instances of delays of up to 7 hours. This ends up causing a bit of a problem on our backend.
Our product that processes the alerts coming from Snort does not expect these delays. In fact, until this issue appeared, we always thought that the alerts would arrive in the (timestamp) order they were fed into Snort. Can you confirm, then, that Snort COULD delay alerts for some packets, and, thus, it is possible that alerts will not be returned in timestamp order? If yes, are there known circumstances where this could occur, and would you be able to document them for us? Or describe the processing that occurs within Snort that could lead to this situation? We can make some adjustments to our backend, but I want to be able to explain this to my development group and our customer. Many thanks, Alan P.S. If you know of someone else I need to contact, could you let me know? From: Joel Esler (jesler) <jesler () cisco com> Sent: Monday, May 6, 2019 9:44 AM To: ROTNEMER, ALAN H <ar435f () att com> Cc: snort-devel () lists snort org Subject: Re: [Snort-devel] Snort Timestamps Out of Sequence Hey Alan, My "off the cuff" theory, without looking at your Snort configuration and requesting a full traffic reassembly is that something was holding the connection open (for 7 minutes) (keep-alive?) and Snort is reassembling the HTTP session in the background into what we call a "pseudo" packet. A large reassembled stream. That's what your rule alerted on, and should have logged it to disk. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.talosintelligence.com&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=SF14kolGOfb9ES7hY9eg3w&m=cN5KAl1AsQe0jtiNGpL0uP5-1hkgqFQNgRED18eFkm4&s=29AEhc-8fQJZvQEt2b0d4cmzF8_G5pWBHKOucV-PHaQ&e=> On May 6, 2019, at 9:16 AM, ROTNEMER, ALAN H <ar435f () att com<mailto:ar435f () att com>> wrote: Is there some explanation as to why the alert took over 7 minutes to publish? Could Snort be waiting on anything in order to complete the alert?
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (Apr 17)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (Apr 17)
- Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 06)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 06)
- Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 23)
- Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
- Re: Snort Timestamps Out of Sequence Russ via Snort-devel (May 25)
- Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 06)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (Apr 17)