From: Steven Baigal (sbaigal) <sbaigal@cisco.com>
Date: Thu, 27 Oct 2022 19:21:13 +0000 (+0000)
Subject: Pull request #3639: netflow: if LAST_SWITCHED isn't provided, use packet time
X-Git-Tag: 3.1.47.0~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bdbd00b59f8d16d32efb88f9284b7cec2bcf6689;p=thirdparty%2Fsnort3.git

Pull request #3639: netflow: if LAST_SWITCHED isn't provided, use packet time

Merge in SNORT/snort3 from ~MMATIRKO/snort3:nf_timestamp to master

Squashed commit of the following:

commit d7d56537ca9c9318ff1aa22a6ee8e8d2ec2bc12e
Author: Michael Matirko <mmatirko@cisco.com>
Date:   Thu Oct 27 10:44:26 2022 -0400

    netflow: if LAST_SWITCHED isn't provided, use packet time
---

diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc
index eea7c9bcf..1268aaa1a 100644
--- a/src/service_inspectors/netflow/netflow.cc
+++ b/src/service_inspectors/netflow/netflow.cc
@@ -36,6 +36,7 @@
 #include "protocols/packet.h"
 #include "pub_sub/netflow_event.h"
 #include "src/utils/endian.h"
+#include "time/packet_time.h"
 #include "utils/util.h"
 
 #include "netflow_cache.cc"
@@ -152,6 +153,15 @@ static void publish_netflow_event(const Packet* p, const NetFlowRule* match, Net
         }
     }
 
+
+    // Certain implementations of NetFlow don't use FIRST_PKT_SECOND and
+    // LAST_PKT_SECOND - if these aren't set, assume the current wire pkt time
+    if (!record.first_pkt_second or !record.last_pkt_second)
+    {
+        record.first_pkt_second = packet_time();
+        record.last_pkt_second = packet_time();
+    }
+
     NetFlowEvent event(p, &record, match->create_host, match->create_service, swapped, serviceID);
     DataBus::publish(NETFLOW_EVENT, event);
 }