Hello,
In which circumstances may Suricata send an alert that has its “timestamp” value that is several days later than its “start” value ?
Thank you
In theory a very very long running connection but I would argue that this should run into a timeout before.
Do you have more details for that example and the setup where you have seen this?
Hello Andreas,
Thank you for your answer.
I am trying to get some more information.
As far as I know, this occures with tcp rules but also with udp rules (for example : "alert udp any any → any any (msg:“SURICATA UDPv4 invalid checksum”; udpv4-csum:invalid; classtype:protocol-command-decode; ))
Is there a timeout at which Suricata decide to stop waiting for the end of a long running connection ?
In what cases UDP alerts could be concerned by this behaviour ?
There is the flow-timeouts setting in the suricata yaml config file.
Do you have the chance to reproduce this with a pcap? Although it might not occur there.
And ideally give us more details about your setup/config.