From bdbd00b59f8d16d32efb88f9284b7cec2bcf6689 Mon Sep 17 00:00:00 2001 From: "Steven Baigal (sbaigal)" Date: Thu, 27 Oct 2022 19:21:13 +0000 Subject: [PATCH] Pull request #3639: netflow: if LAST_SWITCHED isn't provided, use packet time Merge in SNORT/snort3 from ~MMATIRKO/snort3:nf_timestamp to master Squashed commit of the following: commit d7d56537ca9c9318ff1aa22a6ee8e8d2ec2bc12e Author: Michael Matirko Date: Thu Oct 27 10:44:26 2022 -0400 netflow: if LAST_SWITCHED isn't provided, use packet time --- src/service_inspectors/netflow/netflow.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc index eea7c9bcf..1268aaa1a 100644 --- a/src/service_inspectors/netflow/netflow.cc +++ b/src/service_inspectors/netflow/netflow.cc @@ -36,6 +36,7 @@ #include "protocols/packet.h" #include "pub_sub/netflow_event.h" #include "src/utils/endian.h" +#include "time/packet_time.h" #include "utils/util.h" #include "netflow_cache.cc" @@ -152,6 +153,15 @@ static void publish_netflow_event(const Packet* p, const NetFlowRule* match, Net } } + + // Certain implementations of NetFlow don't use FIRST_PKT_SECOND and + // LAST_PKT_SECOND - if these aren't set, assume the current wire pkt time + if (!record.first_pkt_second or !record.last_pkt_second) + { + record.first_pkt_second = packet_time(); + record.last_pkt_second = packet_time(); + } + NetFlowEvent event(p, &record, match->create_host, match->create_service, swapped, serviceID); DataBus::publish(NETFLOW_EVENT, event); } -- 2.47.3