Hello,
We are developing devices running both Zeek and Suricata. One of our devices has a weird issue where a lot of the timestamps have the epoch date instead of the current date. See below that most of the alerts have the epoch date instead of the current date:
[root@host ~]# jq -r '.timestamp' /opt/isd/data/suricata/alert.log | awk -F'T' '{print $1}' | sort | uniq -c
15288 1970-01-01
2435 2023-12-01
Any idea what could be causing this? We are using suricata 7.0.1 with a napatech card in IDS mode. Some info dump below, can provide more on request. Any pointers on what I could be doing wrong would be great 
Thank you!
OS: Rocky linux 8
Kernel version: 4.18.0-425.19.2.el8_7.x86_64
Installed using a custom RPM build (can provide specs on request)
Some full timestamps examples:
[root@host ~]# jq -r '.timestamp' /opt/isd/data/suricata/alert.log | head -n 5
1970-01-01T00:00:00.1044989+0000
1970-01-01T00:00:00.1047640+0000
1970-01-01T00:00:00.001477+0000
1970-01-01T00:00:00.001407+0000
1970-01-01T00:00:00.001411+0000
suricata.yaml
%YAML 1.1
---
default-log-dir: "/opt/isd/data/suricata"
default-rule-path: "/etc/suricata/rules"
rule-files:
- "*.rules"
classification-file: classification.config
reference-config-file: reference.config
stats:
enabled: true
interval: 30
logging:
default-log-level: notice
default-output-filter:
outputs:
- console:
enabled: true
- file:
enabled: true
level: info
filename: suricata.log
- syslog:
enabled: false
facility: local5
format: "[%i] <%%d> -- "
luajit:
states: 128
profiling:
rules:
enabled: false
filename: rule_perf.log
append: true
limit: 10
json: true
keywords:
enabled: false
filename: keyword_perf.log
append: true
prefilter:
enabled: false
filename: prefilter_perf.log
append: true
rulegroups:
enabled: false
filename: rule_group_perf.log
append: true
packets:
enabled: false
filename: packet_stats.log
append: true
csv:
enabled: false
filename: packet_stats.csv
locks:
enabled: false
filename: lock_stats.log
append: true
pcap-log:
enabled: false
filename: pcaplog_stats.log
append: true
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
prefilter:
default: mpm
grouping:
profiling:
grouping:
dump-to-disk: false
include-rules: false
include-mpm-stats: false
mpm-algo: auto
spm-algo: auto
coredump:
max-dump: unlimited
host-mode: sniffer-only
unix-command:
enabled: false
pcre:
match-limit: 3500
match-limit-recursion: 1500
defrag:
memcap: 64mb
hash-size: 65536
trackers: 65535
max-frags: 65535
prealloc: true
timeout: 60
flow:
memcap: 512mb
hash-size: 65536
prealloc: 20000
emergency-recovery: 30
vlan:
use-for-tracking: true
flow-timeouts:
default:
new: 30
established: 300
closed: 0
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-closed: 0
emergency-bypassed: 50
tcp:
new: 60
established: 600
closed: 60
bypassed: 100
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
udp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
icmp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
stream:
memcap: 512mb
checksum-validation: true
inline: false
reassembly:
memcap: 256mb
depth: 1mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: true
host:
hash-size: 4096
prealloc: 1000
memcap: 256mb
decoder:
teredo:
enabled: true
ports: "$TEREDO_PORTS"
vxlan:
enabled: true
ports: "$VXLAN_PORTS"
vntag:
enabled: false
geneve:
enabled: true
ports: "$GENEVE_PORTS"
asn1-max-frames: 256
vars:
address-groups: !include 'address-groups.yaml'
port-groups: !include 'port-groups.yaml'
napatech:
hba: -1
auto-config: false
streams:
- 0-29
hardware-bypass: false
inline: false
use-all-streams: false
enable-stream-stats: true
outputs:
- fast:
enabled: false
- eve-log:
enabled: true
filetype: regular
types:
- stats
filename: stats.log
- eve-log:
enabled: true
filetype: regular
types:
- alert
filename: alert.log
community-id: true
community-id-seed: 44919
threading:
set-cpu-affinity: true
cpu-affinity:
- management-cpu-set:
cpu:
- '30'
- '94'
- '32'
- '96'
- worker-cpu-set:
cpu:
- '1'
- '3'
- '5'
- '7'
- '9'
- '11'
- '13'
- '15'
- '17'
- '19'
- '21'
- '23'
- '25'
- '27'
- '29'
- '65'
- '67'
- '69'
- '71'
- '73'
- '75'
- '77'
- '79'
- '81'
- '83'
- '85'
- '87'
- '89'
- '91'
- '93'
mode: exclusive
prio:
high:
- '1'
- '3'
- '5'
- '7'
- '9'
- '11'
- '13'
- '15'
- '17'
- '19'
- '21'
- '23'
- '25'
- '27'
- '29'
- '65'
- '67'
- '69'
- '71'
- '73'
- '75'
- '77'
- '79'
- '81'
- '83'
- '85'
- '87'
- '89'
- '91'
- '93'
default: high
detect-thread-ratio: 1.5
Build info:
[root@host ~]# suricata --build-info
This is Suricata version 7.0.1 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 8.5.0 20210514 (Red Hat 8.5.0-16), C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.45, linked against LibHTP v0.5.45
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: yes
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: yes
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Landlock support: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.62.1 (Red Hat 1.62.1-1.module+el8.7.0+1079+7c7e1744)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.62.1
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-redhat-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
ntservice.ini
#This file is managed by Puppet. Local changes will be overwritten
[System]
HostBufferRefreshIntervalAll = default # default* - 1 - 5 - 10 - 50 - 100 - 250 - 500
LinkPropagationPortPairs = # [portA, portB], ...
NumWorkerThreads = 16 # 1 .. 100
SDRAMFillLevelWarning = 0 # X1, X2, X3, X4
TimeSyncOsTimeReference = None # None* - adapter-0 - adapter-1 - adapter-2 - adapter-3 - adapter-4 - adapter-5 - adapter-6 - adapter-7
TimestampFormat = NATIVE_UNIX # NATIVE - NATIVE_NDIS - NATIVE_UNIX* - UNIX_NS - PCAP - PCAP_NS
TimestampMethod = EOF # SOF - EOF*
NtplFileName = /opt/napatech3/config/default.ntpl
[Logging]
LogBufferWrap = wrap # wrap* - nowrap
LogFileName = /tmp/Log3G_%s.log # String
LogMask = 7 # See ini-file help for information about possible values
LogToFile = false # true/false
LogToSystem = true # true/false
[Adapter0]
AdapterType = NT50B01_2x25 # NT40A01_4X1 - NT20E3_2_PTP - NT40E3_4_PTP - NT50B01_2X10_25 - NT50B01_2X25 - NT50B01_2X1_10 - NT100A01_4X1_10 - NT100A01_4X10_25 - NT40A11_4X1_10 - NT80E3_2_PTP - NT80E3_2_PTP_8X10 - NT100E3_1_PTP - NT200A01 - NT200A01_2X100 - NT200A01_8X10 - NT200A01_2X40 - NT200A01_2X10_25 - NT200A01_2X25 - NT200A02_2X10_25 - NT200A02_2X25 - NT200A02_2X100 - NT200A02_2X40 - NT200A02_4X10_25 - NT200A02_4X25 - NT200A02_8X10 - NT200A02_2X1_10 - NT4E - NT20E - NT4E_STD - NT20E2 - NT40E2_1 - NT40E2_4 - NT4E2_PTP - NT20E2_PTP - INTEL_A10_4X10 - INTEL_A10_1X40 - NT400D13_2X100
CancelTxOnCloseMask = 0 # See ini-file help for information about possible values
CsrxAllowIpv6UdpZeroChecksum = 1 # false - true - 0 - 1* - 2
CsrxPrioritizeInnerProtocol = false # true/false
DeduplicationWindow = 100 # 10 .. 2000000
DisableFec = 0 # 1 - 0* - true - false*
DisableTxRemoteFault = 0 # 1 - 0* - true - false*
DiscardSize = 16 # 16 .. 63
HighFrequencySampling = DISABLE # DISABLE* - ENABLE
HostBufferHandlerAffinity = -2 # -2 .. 11
HostBufferPollInterval = default # default* - 10 - 50 - 100 - 250 - 500 - 1000 - 10000 - 25000 - 50000 - 100000
HostBufferRefreshIntervalRx = default # default* - 1 - 5 - 10 - 50 - 100 - 250 - 500
HostBufferRefreshIntervalTx = default # default* - 1 - 5 - 10 - 50 - 100 - 250 - 500
HostBufferSegmentAlignmentRx = default # default* - none - 0 - 512 - 1024 - 2048 - 4096
HostBufferSegmentSizeRx = default # default* - dynamic - 0 - 1 - 2 - 4 - 64K - 128K - 256K - 512K - 1M - 2M - 4M
HostBufferSegmentSizeTx = default # default* - 1 - 2 - 4 - 1M - 2M - 4M
HostBufferSegmentTimeOut = default # default* - 10 - 50 - 100 - 250 - 500 - 1000 - 10000 - 25000 - 50000 - 100000
HostBuffersRx = [30,324,-1] # [x1, x2, x3], ...
HostBuffersTx = [0,16,-1] # [x1, x2, x3], ...
IfgMode = NS # NS* - BYTE
KmTcamConfig = [2,4,0],[4,1,0] # [cnt, len, dualLookup], ...
MaxFrameSize = 9018 # 1518 .. 10000
NumaNode = -1 # -1 .. 16
OnBoardMemorySplit = Even # Dynamic - Even* - Proportional
PacketDescriptor = NT # PCAP - NT* - Ext9
PacketPcapFcsInclude = false # true/false
PortDisableMask = 0 # See ini-file help for information about possible values
Profile = None # None* - Capture
TimeSyncOSInSyncLimit = 50000 # 1 .. 4294967295
TimeSyncReferencePriority = OSTime # FreeRun* - PTP - Int1 - Int2 - Ext1 - OSTime
TimeSyncTimeOffset = 0 # 0 .. 1000000
TimestampInjectAlways = true # true/false, ...
TimestampInjectDynamicOffset = TSI_DYN_SOF # TSI_DYN_SOF* - TSI_DYN_EOF - TSI_DYN_L3 - TSI_DYN_L4
TimestampInjectStaticOffset = 0 # -16384 .. 16383, ...
TxTiming = RELATIVE # ABSOLUTE - RELATIVE*
VXLANAltDestinationPorts = 4789,4789 # X1, X2