Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug with timestamp. Snort 1.8 and FreeBSD and ACID

From: roman () danyliw com
Date: Tue, 19 Jun 2001 09:42:25 US/Eastern
I'm skeptical that ACID garbled that date, since
it read it raw from the database.  More likely is
that this is how the timestamp was written to the
database.  Can you confirm this?

Run something like:

SELECT * FROM event WHERE sid=1 AND cid=3310

What is the format of the date?  Likewise, to
re-iterate the timestamps in the DB should read
12:32:37+02 ?

Roman

 

      Hello,

      I'm using Snort 1.8, got from the CVS on June 13th,
under FreeBSD 4.3, and ACID 9.6b10.

      There is a problem with the timestamp. It is a common practice to keep the 
system clock with the UTC time, having the system configured for the timezone 
where you live. In my case, I am in CET, which is UTC+1; with the summer 
time, it is CEST, UTC+2.

      WHen I generate an alert, it is correctly timestamped in the "alert" file, 
but in the Acid logs it has an incorrect time, which, curiously, is 2 plus 
the correct time.

      An example:

(from the alert log)

06/19-12:32:37.558494 X.Y.Z.T:1674 -> A.B.C.D:111
06/19-12:32:39.393530 X.Y.Z.T:1678 -> A.B.C.D:111

(The same pasted from Acid)

#0-(1-3310) [arachNIDS] RPC portmap request rstatd 2001-06-19 14:32:39+02 

X.Y.Z.T:1678 
A.B.C.D:111 

UDP

#1-(1-3309) 

[arachNIDS] RPC portmap request rstatd 2001-06-19 14:32:37+02 
X.Y.Z.T:1674 
A.B.C.D:111 

UDP


      Any ideas?



      Best regards,




      Borja.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: