Project

General

Profile

Actions

Bug #337

closed

Suricata logs alerts with wrong timestamp (start of the epoch).

Added by Nikolay Denev over 13 years ago. Updated about 13 years ago.

Status:
Closed
Priority:
High
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm seeing alerts with timestamp "Thu Jan 1 00:00:00 1970" in both unified2 and fast alert logs.
About 20% of the entries in my logs for the last week are with this timestamp. This is for Suricata from GIT.
Here is a short sample for the logs (with the IP's masked) :

_> 01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.250:49392 -> X.X.X.4:443

09/27/2011-05:54:55.553829 [**] [1:2013295:2] ET POLICY Self Signed SSL Certificate (Snake Oil CA) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} X.X.X.227:443 -> X.X.X.7:63367
09/27/2011-05:55:08.460580 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.50:1861 -> X.X.X.4:443
09/27/2011-05:56:03.703293 [**] [1:2010904:5] ET USER_AGENTS Fake Mozilla UA Inbound (Mozilla/0.xx) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.178:53551 -> X.X.X.4:80
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.50:1924 -> X.X.X.4:443
09/27/2011-06:00:05.844775 [**] [1:2010904:5] ET USER_AGENTS Fake Mozilla UA Inbound (Mozilla/0.xx) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.196:61530 -> X.X.X.4:80
09/27/2011-06:00:55.776206 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.62:64883 -> X.X.X.4:443
09/27/2011-06:08:34.935037 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.243:56971 -> X.X.X.4:443
09/27/2011-06:09:15.765385 [**] [1:2002945:10] ET POLICY Java Url Lib User Agent Web Crawl [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} X.X.X.10:2913 -> X.X.X.4:80
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.212:47548 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.243:57413 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.111:1089 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.243:57826 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.212:32967 -> X.X.X.4:443
09/27/2011-06:39:46.487946 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.79:2085 -> X.X.X.4:443
09/27/2011-06:41:13.796010 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.176:1406 -> X.X.X.4:443
01/01/1970-01:00:00.000000 [**] [1:2803728:3] ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} X.X.X.20:38124 -> X.X.X.4:443_

Actions #1

Updated by Victor Julien over 13 years ago

  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Estimated time set to 5.00 h

@Anoop My guess would be this relates to the flow timeout code. The injected pkts probably don't have a timestamp set?

Actions #2

Updated by Nikolay Denev about 13 years ago

Afer applying 3ec7b7519434f900a47534b3b14bbdb630992efb I'm no longer seeing alerts with start of the epoch timestamps. Thanks!

Actions #3

Updated by Victor Julien about 13 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Cool, closing then. Thanks guys!

Actions #4

Updated by Anoop Saldanha about 13 years ago

  • Estimated time changed from 5.00 h to 0.50 h
Actions

Also available in: Atom PDF