Please include the following information with your help request:
> suricata -V
> This is Suricata version 7.0.5 RELEASE
> cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
> source
suricata --build-info
This is Suricata version 7.0.5 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LIBJANSSON TLS TLS_GNU MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-44), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.48, linked against LibHTP v0.5.48
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Landlock support: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.72.1 (d5c2e9c34 2023-09-13) (Red Hat 1.72.1-2.el7)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.72.1
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc -std=gnu11 (exec name) / g++ -std=gnu++11 (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -std=gnu99 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS
SECCFLAGS
suricata.yaml
cat /etc/suricata/suricata.yaml | egrep -v '#'
%YAML 1.1
---
suricata-version: "7.0"
default-log-dir: /data/program/suricata/log
stats:
enabled: yes
interval: 60
outputs:
- fast:
enabled: no
filename: fast.log
append: yes
- eve-log:
enabled: yes
filename: "%Y%m%d-eve.json"
rotate-interval: day
pcap-file: false
community-id: false
community-id-seed: 0
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
types:
- alert:
- anomaly:
enabled: no
types:
- stats:
enabled: yes
filename: stats.log
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
logging:
default-log-level: notice
default-output-filter:
outputs:
- console:
enabled: yes
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
- interface: default
af-xdp:
- interface: default
pcap:
- interface: eth0
- interface: default
pcap-file:
checksum-checks: auto
coredump:
max-dump: 0
host-mode: sniffer-only
max-pending-packets: 10000
runmode: workers
default-packet-size: 30000
unix-command:
enabled: no
magic-file: /usr/share/file/magic
legacy:
uricontent: enabled
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
defrag:
memcap: 32mb
hash-size: 65536
prealloc: yes
timeout: 60
flow:
memcap: 128mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
vlan:
use-for-tracking: true
livedev:
use-for-tracking: true
flow-timeouts:
default:
new: 30
established: 300
closed: 0
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-closed: 0
emergency-bypassed: 50
tcp:
new: 60
established: 600
closed: 60
bypassed: 100
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
udp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
icmp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
stream:
memcap: 64mb
reassembly:
memcap: 256mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
host:
hash-size: 4096
prealloc: 1000
memcap: 32mb
decoder:
teredo:
enabled: false
vxlan:
enabled: false
geneve:
enabled: false
detect:
profile: high
custom-values:
toclient-groups: 200
toserver-groups: 200
sgh-mpm-context: auto
inspection-recursion-limit: 3000
prefilter:
default: mpm
grouping:
profiling:
grouping:
dump-to-disk: false
include-mpm-stats: false
mpm-algo: auto
spm-algo: auto
threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
- receive-cpu-set:
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
detect-thread-ratio: 1.0
luajit:
states: 128
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
sort: ticks
limit: 10
json: false
keywords:
enabled: no
filename: keyword_perf.log
append: yes
prefilter:
enabled: no
filename: prefilter_perf.log
append: yes
rulegroups:
enabled: no
filename: rule_group_perf.log
append: yes
packets:
enabled: no
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
pcap-log:
enabled: no
filename: pcaplog_stats.log
append: yes
nfq:
nflog:
- group: 2
buffer-size: 18432
- group: default
qthreshold: 1
qtimeout: 100
max-size: 20000
capture:
netmap:
- interface: eth2
- interface: default
pfring:
- interface: eth0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
- interface: default
ipfw:
napatech:
streams: ["0-3"]
enable-stream-stats: no
auto-config: yes
hardware-bypass: yes
inline: no
ports: [0-1,2-3]
hashmode: hash5tuplesorted
default-rule-path: /etc/suricata/rules
rule-files:
- modsec.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
====
Hello,
I am encountering an issue with Suricata where the timestamp
and start
fields in the detection logs (eve.json) are intermittently showing the year 2106. This appears to happen sporadically and affects either or both fields.
{
"timestamp": "2106-02-06T09:32:34.031099+0900",
"flow_id": 696522016219839,
"in_iface": "eth0",
"event_type": "alert",
"src_ip": "10.10.10.10",
"src_port": 44453,
"dest_ip": "10.20.30.40",
"dest_port": 1234,
"proto": "UDP",
"pkt_src": "wire/pcap",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1101305,
"rev": 0,
"signature": "Grafana_avatar_ssrf(CVE-2020-13379)",
"category": "",
"severity": 3
},
"app_proto": "failed",
"direction": "to_server",
"flow": {
"pkts_toserver": 303359060,
"pkts_toclient": 0,
"bytes_toserver": 565407159745,
"bytes_toclient": 0,
"start": "2106-02-06T09:32:34.031099+0900",
"src_ip": "10.10.10.10",
"dest_ip": "10.20.30.40",
"src_port": 44453,
"dest_port": 1234
},
"payload_printable": "{\"hostname\":\"test\",\"request\":{\"request_line\":\"GET /api/v2/abcd HTTP/2.0\",\"headers\":{\"Host\":\"test.com\",\"Authorization\":\"\",\"User-Agent\":\"\",\"Referer\":\"\",\"Content-Type\":\"application/json\",\"Cookie\":\"\"},\"body\":[\"\"]},\"transaction\":{\"remote_address\":\"1.1.1.1\",\"transaction_id\":\"84b4a4478206148d28e3a9699001f0b1\",\"local_port\":443,\"time\":\"2024-07-24T09:17:35+09:00\",\"remote_port\":46823,\"local_address\":\"10.194.46.215\"},\"audit_data\":{\"agent\":\"private\"},\"response\":{\"status\":200,\"headers\":{},\"body\":\"\"}}",
"stream": 0
}