[Snort-devel] Bug: Timestamp

Ichinin ichinin at ...1693...
Sat Nov 23 11:28:03 EST 2002


Hello there.

I have found a timestamp bug in Snort.

It occur in Snort (Win32) 1.9 and 2.0 (Build 33, From
www.codecraftconsultants.com)
I've also rebuilt the binary (1.9) from the source but same effect....
(i have not
checked *nix versions)

Observe these timstamps:
"11/22-05:57:20.618347"	- The time i pinged the host = Yesterday(!)
"11/23-14:49:19.594866"	- The time i got the ICMP_Reply. (=correct)

You can see what the error looks like in the logfiles appended below.

I've tried to solve the problem myself, but my small amount of
experience
with the source (~1.5 hours now) makes it kinda difficult :o}

I also have a request: A switch that makes the timestamp into a
Chronological
time format (YYYY/MM/DD-HH:MM:SS.nnnnnn or YYYYMMDDHHMMSSnnnnnn); this
would
simplify sorting alot.

Best regards,

Glenn
(Ichinin {at} suespammers [dot] org)
________________________________________________________________________

(These are logfiles generated by Snort 2.0 (Win32, Build 33).)

========================================================
File: "\snort\log\192.168.1.26\ICMP_ECHO.ids"
========================================================
[**] ICMP PING Windows [**]
11/22-05:57:20.618347 192.168.1.26 -> 192.168.1.120
...

[**] ICMP PING Windows [**]
11/22-05:57:21.617495 192.168.1.26 -> 192.168.1.120
...

[**] ICMP PING Windows [**]
11/22-05:57:22.622195 192.168.1.26 -> 192.168.1.120
...

[**] ICMP PING Windows [**]
11/22-05:57:23.627085 192.168.1.26 -> 192.168.1.120
...

========================================================
File: "\snort\log\192.168.1.120\ICMP_ECHO_REPLY.ids"
========================================================

[**] ICMP Echo Reply [**]
11/23-14:49:19.594866 192.168.1.120 -> 192.168.1.26
...

[**] ICMP Echo Reply [**]
11/23-14:49:20.594307 192.168.1.120 -> 192.168.1.26
...

[**] ICMP Echo Reply [**]
11/23-14:49:21.599100 192.168.1.120 -> 192.168.1.26
...

[**] ICMP Echo Reply [**]
11/23-14:49:22.604049 192.168.1.120 -> 192.168.1.26
...


========================================================
File: "\snort\log\Alert.ids"
========================================================

[**] [1:382:4] ICMP PING Windows [**]
[Classification: Misc activity] [Priority: 3] 
11/22-06:04:51.116653 192.168.1.26 -> 192.168.1.120
...

[**] [1:408:4] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3] 
11/23-14:56:50.144545 192.168.1.120 -> 192.168.1.26
...




More information about the Snort-devel mailing list