Snort mailing list archives

Re: Snort Timestamps Out of Sequence

From: "Joel Esler \(jesler\) via Snort-devel" <snort-devel () lists snort org>
Date: Wed, 17 Apr 2019 10:59:16 +0000

Is that “out of order” alert a reassembled pseudo-packet?   You’d need to look at the packets in the alerts themselves 
to determine that. (Not csv, but you could look at something like “ -A cmg” to help diagnose this)

Sent from my  iPhone

On Apr 17, 2019, at 06:56, ROTNEMER, ALAN H via Snort-devel <snort-devel () lists snort org> wrote:

We have run Snort where we send it packets that are in timestamp order. However, the alerts will occasionally come 
back out of sequence to our application.
By turning on “output alert”, we can see from the log file that alerts can be delayed. For example, we ran snort as:
 
/opt/capture/bin/snort -c /opt/capture/conf/snort/etc/snort.conf -i lo -S OUT_FILE=/data/working/snort/proc/99_99 -N 
-q &
 
And in /opt/capture/conf/snort/etc/snort.conf we had the line:
 
output alert_csv: /tmp/snortf1.csv timestamp,msg,src,srcport,dst,dstport
 
The CSV log file had several instances similar to this (for business reasons the exact rule texts were redacted):
 
04/16-02:11:06.572717 ,"Rule Type 1 Protocol Outbound Traffic",154.45.216.145,1098,99.99.37.223,51413
04/16-02:11:06.606885 ,"Rule Type 1 Protocol Outbound Traffic",182.72.124.202,25283,108.228.86.35,6881
04/16-02:11:06.609897 ,"Rule Type 1 Protocol Outbound Traffic",94.254.163.20,19973,99.127.74.163,9836
04/16-02:11:06.615137 ,"Rule Type 1 Protocol Outbound Traffic",185.39.113.72,44143,75.35.93.63,6881
04/16-01:56:08.636576 ,"Another Rule2 #2",216.68.181.150,65381,12.96.144.101,80
04/16-02:11:06.667118 ,"Rule Type 1 Protocol Outbound Traffic",178.254.221.60,8073,99.138.149.126,52241
04/16-02:11:06.673093 ,"Rule Type 1 Protocol Outbound Traffic",196.64.27.94,16119,71.128.163.20,6881
04/16-02:11:06.676153 ,"Rule Type 3",61.220.63.0,6520,98.67.182.104,123
 
The alert for timestamp 01:56:08 appears 15 minutes behind the ones preceding it. The original packet has the correct 
timestamp. I should note that this is a very busy system with multiple packets per second being generated. The 
user-generated rules file has about 23,000 rules.
 
Can I get an explanation as to how snort is processing individual packets going through the rules? I would expect to 
see the alerts come back in the same sequence they went in.
 
Thank you for any assistance. If more information is needed please let me know.
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Attachment: smime.p7s
Description:

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (Apr 17)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (Apr 17)
  - Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 06)
    - Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 06)
    - Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
    - Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 23)
    - Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
    - Re: Snort Timestamps Out of Sequence Russ via Snort-devel (May 25)