Incorrect Timestamp in Suricata Detection Logs

Please include the following information with your help request:

> suricata -V
> This is Suricata version 7.0.5 RELEASE
>  cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
> source
suricata --build-info
This is Suricata version 7.0.5 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LIBJANSSON TLS TLS_GNU MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-44), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.48, linked against LibHTP v0.5.48

Suricata Configuration:
  AF_PACKET support:                       yes
  AF_XDP support:                          no
  DPDK support:                            no
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  GeoIP2 support:                          no
  Non-bundled htp:                         no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          yes
  Landlock support:                        no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.72.1 (d5c2e9c34 2023-09-13) (Red Hat 1.72.1-2.el7)
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.72.1

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Profiling rules enabled:                 no

  Plugin support (experimental):           yes
  DPDK Bond PMD:                           no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Fuzz targets enabled:                    no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc -std=gnu11 (exec name) / g++ -std=gnu++11 (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -fPIC -std=gnu99 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS
  SECCFLAGS
suricata.yaml

cat /etc/suricata/suricata.yaml  | egrep -v '#'
%YAML 1.1
---
suricata-version: "7.0"
default-log-dir: /data/program/suricata/log
stats:
  enabled: yes
  interval: 60
  outputs:
  - fast:
      enabled: no
      filename: fast.log
      append: yes
  - eve-log:
      enabled: yes
      filename: "%Y%m%d-eve.json"
      rotate-interval: day
      pcap-file: false
      community-id: false
      community-id-seed: 0
      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For
      types:
        - alert:
        - anomaly:
            enabled: no
            types:
  - stats:
      enabled: yes
      filename: stats.log
      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For
        logging:
  default-log-level: notice
  default-output-filter:
  outputs:
  - console:
      enabled: yes
      af-packet:
  - interface: eth0
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
  - interface: default
  af-xdp:
  - interface: default
  pcap:
  - interface: eth0
  - interface: default
  pcap-file:
  checksum-checks: auto
  coredump:
  max-dump: 0
  host-mode: sniffer-only
max-pending-packets: 10000
runmode: workers
default-packet-size: 30000
unix-command:
  enabled: no
  magic-file: /usr/share/file/magic
legacy:
  uricontent: enabled
  engine-analysis:
  rules-fast-pattern: yes
  rules: yes
  pcre:
  match-limit: 3500
  match-limit-recursion: 1500
  defrag:
  memcap: 32mb
  hash-size: 65536
  prealloc: yes
  timeout: 60
  flow:
  memcap: 128mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
  vlan:
  use-for-tracking: true
  livedev:
  use-for-tracking: true
  flow-timeouts:
  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
    stream:
  memcap: 64mb
  reassembly:
    memcap: 256mb
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    host:
  hash-size: 4096
  prealloc: 1000
  memcap: 32mb
  decoder:
  teredo:
    enabled: false
  vxlan:
    enabled: false
  geneve:
    enabled: false
    detect:
  profile: high
  custom-values:
    toclient-groups: 200
    toserver-groups: 200
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000
  prefilter:
    default: mpm
  grouping:
  profiling:
    grouping:
      dump-to-disk: false
      include-mpm-stats: false
      mpm-algo: auto
spm-algo: auto
threading:
  set-cpu-affinity: no
  cpu-affinity:
    - management-cpu-set:
    - receive-cpu-set:
    - worker-cpu-set:
        cpu: [ "all" ]
        mode: "exclusive"
        prio:
          low: [ 0 ]
          medium: [ "1-2" ]
          high: [ 3 ]
          default: "medium"
  detect-thread-ratio: 1.0
  luajit:
  states: 128
  profiling:
  rules:
    enabled: yes
    filename: rule_perf.log
    append: yes
    sort: ticks
    limit: 10
    json: false
  keywords:
    enabled: no
    filename: keyword_perf.log
    append: yes
  prefilter:
    enabled: no
    filename: prefilter_perf.log
    append: yes
  rulegroups:
    enabled: no
    filename: rule_group_perf.log
    append: yes
  packets:
    enabled: no
    filename: packet_stats.log
    append: yes
    csv:
      enabled: no
      filename: packet_stats.csv
  locks:
    enabled: no
    filename: lock_stats.log
    append: yes
  pcap-log:
    enabled: no
    filename: pcaplog_stats.log
    append: yes
    nfq:
nflog:
  - group: 2
    buffer-size: 18432
  - group: default
    qthreshold: 1
    qtimeout: 100
    max-size: 20000
    capture:
netmap:
 - interface: eth2
 - interface: default
 pfring:
  - interface: eth0
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
  - interface: default
  ipfw:
napatech:
    streams: ["0-3"]
    enable-stream-stats: no
    auto-config: yes
    hardware-bypass: yes
    inline: no
    ports: [0-1,2-3]
    hashmode: hash5tuplesorted
    default-rule-path: /etc/suricata/rules
rule-files:
  - modsec.rules
  classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config

====
Hello,

I am encountering an issue with Suricata where the timestamp and start fields in the detection logs (eve.json) are intermittently showing the year 2106. This appears to happen sporadically and affects either or both fields.

{
    "timestamp": "2106-02-06T09:32:34.031099+0900",
    "flow_id": 696522016219839,
    "in_iface": "eth0",
    "event_type": "alert",
    "src_ip": "10.10.10.10",
    "src_port": 44453,
    "dest_ip": "10.20.30.40",
    "dest_port": 1234,
    "proto": "UDP",
    "pkt_src": "wire/pcap",
    "alert": {
        "action": "allowed",
        "gid": 1,
        "signature_id": 1101305,
        "rev": 0,
        "signature": "Grafana_avatar_ssrf(CVE-2020-13379)",
        "category": "",
        "severity": 3
    },
    "app_proto": "failed",
    "direction": "to_server",
    "flow": {
        "pkts_toserver": 303359060,
        "pkts_toclient": 0,
        "bytes_toserver": 565407159745,
        "bytes_toclient": 0,
        "start": "2106-02-06T09:32:34.031099+0900",
        "src_ip": "10.10.10.10",
        "dest_ip": "10.20.30.40",
        "src_port": 44453,
        "dest_port": 1234
    },
    "payload_printable": "{\"hostname\":\"test\",\"request\":{\"request_line\":\"GET /api/v2/abcd HTTP/2.0\",\"headers\":{\"Host\":\"test.com\",\"Authorization\":\"\",\"User-Agent\":\"\",\"Referer\":\"\",\"Content-Type\":\"application/json\",\"Cookie\":\"\"},\"body\":[\"\"]},\"transaction\":{\"remote_address\":\"1.1.1.1\",\"transaction_id\":\"84b4a4478206148d28e3a9699001f0b1\",\"local_port\":443,\"time\":\"2024-07-24T09:17:35+09:00\",\"remote_port\":46823,\"local_address\":\"10.194.46.215\"},\"audit_data\":{\"agent\":\"private\"},\"response\":{\"status\":200,\"headers\":{},\"body\":\"\"}}",
    "stream": 0
}

Do you have a pcap? Could this already be off in the packets?

@satta
We have configured a separate optical fiber cable connected to the server to monitor real-time traffic with Suricata. Therefore, there is no possibility of a separate PCAP file or incorrect timestamps within the PCAP file.

Thanks for the info, I see. But what I meant was whether you can provide a pcap of traffic that triggers this behaviour in Suricata.

@satta
Unfortunately, we do not store pcap files due to the high volume of traffic. If necessary, we can briefly check for cases where the ‘2106’ string is present using live tcpdump. However, since the capture would only be for a short period, we cannot be certain if the specific traffic will be captured.

With af-packet the timestamp comes from af-packet, and by default we set SOF_TIMESTAMPING_RAW_HARDWARE which means we’ll use the hardware timestamp the NIC/driver provides. Unfortunately there is no way to disable this other than commenting out some code and recompiling.

It might be worth checking the NIC settings.

I think this might actually be a suitable first step to find out if the issue is actually related to Suricata or not – if the date is also wrong in tcpdump output, the issue is likely to originate somewhere else, since Suricata is not even involved.