[Snort-sigs] tcpdump dates

Jeff Undercoffer undercoffer at ...518...
Thu May 2 08:42:34 EDT 2002


Thanks for your response.  I should have been more precise.  Each individual
alert in the alert file is time and date stamped with the current time and
date, not the time and date that the packet was captured as is recorded in
the tcpdump file.  This makes it very difficult (impossible) to correlate
alerts to the tcpdump capture data


----- Original Message -----
From: "Wirth, Jeff" <WirthJe at ...511...>
To: "'Jeff Undercoffer'" <undercoffer at ...518...>;
<snort-sigs at lists.sourceforge.net>
Sent: Thursday, May 02, 2002 11:35 AM
Subject: RE: [Snort-sigs] tcpdump dates


> From: Jeff Undercoffer [mailto:undercoffer at ...518...]
> >
> > I am using snort to process a tcpdump file.  The alert log is
> > being stamped
> > with the current date and not (as I would like) the date and
> > time of the
> > entry in the tcpdump file.
> >
> > What switch (if any) might I use to have the date and time in
> > the alert file
> > correspond with the date and time in the tcpdump file?
> >
> >
>
> I don't believe there are any switches that would help.  If your process
is
> scripted and running of a *nix box you may want to consider adding
something
> along the lines of...
>
>  touch -am -r <tcpdump file> <snort alert file>
>
>  see "man touch" for more info..
>
> - Jeff





More information about the Snort-sigs mailing list