Messages

1

Intrusion Detection and Prevention / Enabling suricata IPS in 22.1 causes Alerts timestamps to break (zero)

« on: February 06, 2022, 10:26:41 pm »

Fresh install of 22.1 with a restored configuration that was backed up from a previously upgraded 21.7.8 -> 22.1. Enabling suricata IDS works fine, with alerts coming through with the expected timestamp. However, when turning on IPS mode (single listening interface, physical trunk), all timestamps for Alerts are zeroed out. This reverts if suricata is switched back to IDS mode, and is repeatable IDS -> IPS -> IDS ad infinitum. Has anyone seen this error before? What might be happening here?