[Snort-users] postgres database module oddities..

Erik Fichtner emf at ...367...
Wed Aug 23 17:25:55 EDT 2000


Okay.. I've got myself stuck.  Hopefully someone on this list has done what
i'm trying to do or at least can offer up some ideas.

I'm using snort-1.6.3 and postgres-7.0.2.   I have one backend database machine
and several sensors.   event insertion into the database works pretty well
except for one glaring problem..  No Packet Body!

So....  what I thought i'd do is run "snort -b" to write to tcpdump output
files (which i want to have lying around on the system *anyway*, as they're 
incredibly useful at times) and then when I restart (which I do at 0000 GMT
currently) run snort in readback mode so that it inserts events into the 
database.  

And then I discovered my problem....  When I insert events into the database, 
they get timestamped with the *INSERTION TIME*, not the stored time in the
tcpdump binary file.  the $LOGDIR/alert file that gets created during readback
contains the correct times, but the times as inserted into the database in
the timestamp field are completely wrong. 

So now what?

-- 
Erik Fichtner
Security Administrator, ServerVault, Inc.



More information about the Snort-users mailing list