[Snort-users] postgres database module oddities..
emf at ...367...
Wed Aug 23 17:25:55 EDT 2000
Okay.. I've got myself stuck. Hopefully someone on this list has done what
i'm trying to do or at least can offer up some ideas.
I'm using snort-1.6.3 and postgres-7.0.2. I have one backend database machine
and several sensors. event insertion into the database works pretty well
except for one glaring problem.. No Packet Body!
So.... what I thought i'd do is run "snort -b" to write to tcpdump output
files (which i want to have lying around on the system *anyway*, as they're
incredibly useful at times) and then when I restart (which I do at 0000 GMT
currently) run snort in readback mode so that it inserts events into the
And then I discovered my problem.... When I insert events into the database,
they get timestamped with the *INSERTION TIME*, not the stored time in the
tcpdump binary file. the $LOGDIR/alert file that gets created during readback
contains the correct times, but the times as inserted into the database in
the timestamp field are completely wrong.
So now what?
Security Administrator, ServerVault, Inc.
More information about the Snort-users