[Snort-sigs] tcpdump dates
WirthJe at ...511...
Thu May 2 11:18:20 EDT 2002
From: Jeff Undercoffer [mailto:undercoffer at ...518...]
> Thanks for your response. I should have been more precise.
> Each individual
> alert in the alert file is time and date stamped with the
> current time and
> date, not the time and date that the packet was captured as
> is recorded in
> the tcpdump file. This makes it very difficult (impossible)
> to correlate
hmmm...This is very strange. We run snort (1.8.6) in the same fashion,
reading a tcpdump file, and snort uses the correct time/date stamp form the
tcpdump file. After your post, I did notice however that the time/date
stamp entries for "spp_portscan" are based on the time/date that snort read
the file, not the time/date the event actually occurred. So I check
portscan.log and time/date stamps look as they should...
> alerts to the tcpdump capture data
> > From: Jeff Undercoffer [mailto:undercoffer at ...518...]
> > >
> > > I am using snort to process a tcpdump file. The alert log is
> > > being stamped
> > > with the current date and not (as I would like) the date and
> > > time of the
> > > entry in the tcpdump file.
> > >
> > > What switch (if any) might I use to have the date and time in
> > > the alert file
> > > correspond with the date and time in the tcpdump file?
> > >
> > >
> > I don't believe there are any switches that would help. If
> your process
> > scripted and running of a *nix box you may want to consider adding
> > along the lines of...
> > touch -am -r <tcpdump file> <snort alert file>
> > see "man touch" for more info..
> > - Jeff
More information about the Snort-sigs