[Snort-sigs] tcpdump dates

Wirth, Jeff WirthJe at ...511...
Thu May 2 11:18:20 EDT 2002


From: Jeff Undercoffer [mailto:undercoffer at ...518...]
> 
> Thanks for your response.  I should have been more precise.  
> Each individual
> alert in the alert file is time and date stamped with the 
> current time and
> date, not the time and date that the packet was captured as 
> is recorded in
> the tcpdump file.  This makes it very difficult (impossible) 
> to correlate

hmmm...This is very strange.  We run snort (1.8.6) in the same fashion,
reading a tcpdump file, and snort uses the correct time/date stamp form the
tcpdump file.  After your post, I did notice however that the time/date
stamp entries for "spp_portscan" are based on the time/date that snort read
the file, not the time/date the event actually occurred.  So I check
portscan.log and time/date stamps look as they should...

- Jeff  

> alerts to the tcpdump capture data
> 
> > From: Jeff Undercoffer [mailto:undercoffer at ...518...]
> > >
> > > I am using snort to process a tcpdump file.  The alert log is
> > > being stamped
> > > with the current date and not (as I would like) the date and
> > > time of the
> > > entry in the tcpdump file.
> > >
> > > What switch (if any) might I use to have the date and time in
> > > the alert file
> > > correspond with the date and time in the tcpdump file?
> > >
> > >
> >
> > I don't believe there are any switches that would help.  If 
> your process
> is
> > scripted and running of a *nix box you may want to consider adding
> something
> > along the lines of...
> >
> >  touch -am -r <tcpdump file> <snort alert file>
> >
> >  see "man touch" for more info..
> >
> > - Jeff
> 




More information about the Snort-sigs mailing list