Pull request #3639: netflow: if LAST_SWITCHED isn't provided, use packet time

Merge in SNORT/snort3 from ~MMATIRKO/snort3:nf_timestamp to master

Squashed commit of the following:

commit d7d56537ca9c9318ff1aa22a6ee8e8d2ec2bc12e
Author: Michael Matirko <mmatirko@cisco.com>
Date:   Thu Oct 27 10:44:26 2022 -0400

    netflow: if LAST_SWITCHED isn't provided, use packet time

diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc
index eea7c9bcfa16eaacdd83080945cc22aca13010ad..1268aaa1acb6dc72bde35de0b7dd8601db7bb8e5 100644 (file)
--- a/src/service_inspectors/netflow/netflow.cc
+++ b/src/service_inspectors/netflow/netflow.cc
@@ -36,6 +36,7 @@
 #include "protocols/packet.h"
 #include "pub_sub/netflow_event.h"
 #include "src/utils/endian.h"
+#include "time/packet_time.h"
 #include "utils/util.h"
 
 #include "netflow_cache.cc"
@@ -152,6 +153,15 @@ static void publish_netflow_event(const Packet* p, const NetFlowRule* match, Net
         }
     }
 
+
+    // Certain implementations of NetFlow don't use FIRST_PKT_SECOND and
+    // LAST_PKT_SECOND - if these aren't set, assume the current wire pkt time
+    if (!record.first_pkt_second or !record.last_pkt_second)
+    {
+        record.first_pkt_second = packet_time();
+        record.last_pkt_second = packet_time();
+    }
+
     NetFlowEvent event(p, &record, match->create_host, match->create_service, swapped, serviceID);
     DataBus::publish(NETFLOW_EVENT, event);
 }