From: Masud Hasan (mashasan) Date: Tue, 28 Jun 2022 19:28:13 +0000 (+0000) Subject: Pull request #3488: netflow: fix v5 header time value X-Git-Tag: 3.1.33.0~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af848501ce7bb81a244cf950fe322a21c809b258;p=thirdparty%2Fsnort3.git Pull request #3488: netflow: fix v5 header time value Merge in SNORT/snort3 from ~MMATIRKO/snort3:netflow_odds_and_ends to master Squashed commit of the following: commit 6cc63741d7f3cee1d0ce8feb449df868d8b9f947 Author: Michael Matirko Date: Tue Jun 28 14:38:57 2022 -0400 netflow: fix v5 header time value --- diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc index 4ea621185..39a458c39 100644 --- a/src/service_inspectors/netflow/netflow.cc +++ b/src/service_inspectors/netflow/netflow.cc @@ -253,7 +253,7 @@ static bool version_9_record_update(const unsigned char* data, uint32_t unix_sec last_pkt_time = ntohl(*(const time_t*)data)/1000; // last_pkt_time (LAST_SWITCHED) is defined as the system uptime - // at which the flow was seen. If this is == to the current uptime + // at which the flow was seen. If this is >= to the current uptime // something has gone wrong - use the NetFlow header unix time instead. if (last_pkt_time >= sys_uptime) record.last_pkt_second = unix_secs; @@ -653,6 +653,13 @@ static bool decode_netflow_v5(const unsigned char* data, uint16_t size, if ( first_packet > MAX_TIME or last_packet > MAX_TIME or first_packet > last_packet ) return false; + // also invalid flow time values, but we can recover from these malformed times + if (ntohl(precord->flow_first)/1000 >= header.sys_uptime) + first_packet = header.unix_secs; + + if (ntohl(precord->flow_last)/1000 >= header.sys_uptime) + last_packet = header.unix_secs; + NetFlowSessionRecord record = {}; // Invalid source IP address provided