Snort mailing list archives

Snort Timestamps Out of Sequence

From: "ROTNEMER, ALAN H via Snort-devel" <snort-devel () lists snort org>
Date: Wed, 17 Apr 2019 10:55:27 +0000

We have run Snort where we send it packets that are in timestamp order. However, the alerts will occasionally come back
out of sequence to our application.
By turning on "output alert", we can see from the log file that alerts can be delayed. For example, we ran snort as:

/opt/capture/bin/snort -c /opt/capture/conf/snort/etc/snort.conf -i lo -S OUT_FILE=/data/working/snort/proc/99_99 -N -q
&

And in /opt/capture/conf/snort/etc/snort.conf we had the line:

output alert_csv: /tmp/snortf1.csv timestamp,msg,src,srcport,dst,dstport

The CSV log file had several instances similar to this (for business reasons the exact rule texts were redacted):

04/16-02:11:06.572717 ,"Rule Type 1 Protocol Outbound Traffic",154.45.216.145,1098,99.99.37.223,51413
04/16-02:11:06.606885 ,"Rule Type 1 Protocol Outbound Traffic",182.72.124.202,25283,108.228.86.35,6881
04/16-02:11:06.609897 ,"Rule Type 1 Protocol Outbound Traffic",94.254.163.20,19973,99.127.74.163,9836
04/16-02:11:06.615137 ,"Rule Type 1 Protocol Outbound Traffic",185.39.113.72,44143,75.35.93.63,6881
04/16-01:56:08.636576 ,"Another Rule2 #2",216.68.181.150,65381,12.96.144.101,80
04/16-02:11:06.667118 ,"Rule Type 1 Protocol Outbound Traffic",178.254.221.60,8073,99.138.149.126,52241
04/16-02:11:06.673093 ,"Rule Type 1 Protocol Outbound Traffic",196.64.27.94,16119,71.128.163.20,6881
04/16-02:11:06.676153 ,"Rule Type 3",61.220.63.0,6520,98.67.182.104,123

The alert for timestamp 01:56:08 appears 15 minutes behind the ones preceding it. The original packet has the correct
timestamp. I should note that this is a very busy system with multiple packets per second being generated. The
user-generated rules file has about 23,000 rules.

Can I get an explanation as to how snort is processing individual packets going through the rules? I would expect to
see the alerts come back in the same sequence they went in.

Thank you for any assistance. If more information is needed please let me know.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (Apr 17)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (Apr 17)
  - Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 06)
    - Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 06)
    - Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
    - Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 23)
    - Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
    - Re: Snort Timestamps Out of Sequence Russ via Snort-devel (May 25)