[Snort-devel] Alert/Log Date Format

Martin Roesch roesch at ...48...
Fri Feb 23 00:07:28 EST 2001


This is a good idea, we could put this into the code pretty easily.  I
like the -y option better, it allows us to maintain backwards
compatability.  If you log your packets in binary format all the date
information is kept when the packets are logged, so you can always run
them through Snort with an extended timestamp format and get the data
back (if you log to that format).

For the record, old versions of Snort used to put the year in the packet
timestamps but I pulled them in '99 when people started sending me mail
that gcc would tell them the code wasn't y2k compliant.  I got enough of
those mails that I decided that if people couldn't deal with the warning
message I'd pull the code out and be done with it.  Petulant?  Me? 
Never... :)

   -Marty


Paul Ritchey wrote:
> 
> Hi All:
> 
> I'd like to provide a patch for Snort and would like some feedback before I go about creating it.
> 
> Currently Snort outputs the dates in the alert/log files in the mm/dd....  format.  This is fine, but where I work we really could use the year imbedded in there was well.
> 
> I would like to provide a patch for this, and have come up with two optional ways of doing this (other suggestions welcome) but I don't know which would be more useful to the rest of the community.
> 
> 1.  Change the date format.  This would be the simplest patch, but for those who currently use the mm/dd format adding the year might break their code.
> 
> 2.  User selectable.  Add a command line flag (-y?) to allow the user to turn on the year format.  This would not interrupt current users who rely on the mm/dd format, but allow those of use that require the mm/dd/yy format to turn this feature on.  The downside is that we use up one more command line flag that could be used in the future for some new really cool feature.
> 
> Feedback, comments and suggestions welcome.
> 
> Once it's done, I'll submit it so that it can (hopefully) be added to the CVS code (Marty?).
> 
> Paul
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list