[Snort-devel] Problem with SPP_Portscan and timestamps in SQL Database (still b roken)

Kevin Brown Kevin.M.Brown at ...320...
Thu Jul 12 12:39:48 EDT 2001


Martin Roesch asked for bugs that still hadn't been fixed last week.  I
submitted this to him and he thought he had fixed it and suggested I upgrade
to the latest beta (at that time was 1.8-beta10 build 38.  I'm currently
running 1.8-beta10 Build 40 on a Sun Netra T1 (Sparc 500MHz) with Solaris 8
for the OS.  I noticed that when I went to the ACID interface (snort is
logging to a remote SQL db) that the timestamps it showed for the beginning
and ending of alerts was, shall we say, off by quite a bit:

Time window: [2001-03-30 18:51:51-07] - [2007-12-25 14:43:34-07]

This build of snort is logging to its own database that should only have a
weeks worth of logs in it, but the time window shows that it has alerts from
back in March of this year to Christmas of 2007.  The culprit appears to be
the spp_portscan plugin still.  Doing "select cid,timestamp from event inner
join signature on signature.sig_id = event.signature where
signature.sig_name like 'spp_portscan%' ORDER BY event.timestamp desc;"
inside Postgres (v 7.1) results in the following alerts.


  cid   |       timestamp        
--------+------------------------
 449314 | 2007-12-25 14:43:34-07
 455740 | 2006-08-20 22:22:41-07
 452070 | 2006-07-21 17:28:20-07
 423972 | 2006-06-26 16:41:31-07
 430983 | 2006-02-10 04:04:19-07
 422848 | 2005-08-31 21:57:54-07
 424774 | 2003-09-16 23:22:44-07
 404267 | 2003-07-18 22:24:13-07
 450153 | 2003-05-21 02:28:15-07
 407749 | 2003-05-08 01:26:42-07
 408408 | 2003-04-29 17:01:00-07
 408426 | 2003-04-10 02:47:06-07
 407754 | 2003-04-07 23:03:51-07
 353468 | 2002-01-27 21:31:18-07
 410619 | 2001-10-10 17:03:50-07
 403606 | 2001-08-12 13:01:12-07
 403303 | 2001-08-11 17:56:35-07
 423359 | 2001-08-09 10:59:02-07
 405990 | 2001-08-08 21:00:59-07
 409359 | 2001-08-08 08:04:06-07
 465168 | 2001-07-17 17:13:27-07
 465045 | 2001-07-17 17:00:01-07

And doing the following "select cid,timestamp from event inner join
signature on signature.sig_id = event.signature where signature.sig_name
like 'spp_portscan%' ORDER BY event.cid desc;" results in:

  cid   |       timestamp        
--------+------------------------
 469266 | 2001-07-12 02:27:04-07
 469265 | 2001-07-12 02:27:02-07
 469264 | 2001-06-12 11:27:00-07
 469262 | 2001-07-12 02:26:58-07
 469261 | 2001-07-12 02:26:56-07
 469260 | 2001-07-12 02:26:54-07
 469259 | 2001-07-12 02:26:52-07
 469258 | 2001-06-12 11:26:50-07
 469257 | 2001-07-12 02:26:48-07
 469256 | 2001-07-12 02:26:46-07
 469255 | 2001-07-12 02:26:44-07
 469254 | 2001-06-12 11:26:42-07
 469253 | 2001-07-12 02:26:40-07
 469252 | 2001-07-12 02:26:38-07
 469251 | 2001-07-12 02:26:36-07
 469250 | 2001-06-12 11:26:34-07
 469249 | 2001-07-12 02:26:32-07
 469248 | 2001-07-12 02:26:30-07
 469247 | 2001-07-12 02:26:28-07
 469246 | 2001-07-12 02:26:26-07
 469245 | 2001-07-12 02:26:24-07
 469244 | 2001-07-12 02:26:22-07

Any help would be greatly appreciated.

END OF LINE...


Begin Geek Code;
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c
^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72, at z=(64,72,$a^=12*($_%
16
-2?0:$m&17)),$b^=$_%64?12:0, at z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$
h
=5;$_=unxb24,join"", at b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
(($h>>=8)+=$f+(~$g&$t))for at ...522...[128..$#a]}print+x"C*", at a}';s/x/pack+/g;eval




More information about the Snort-devel mailing list