[Snort-users] Timestamps

Mullen, Patrick Patrick.Mullen at ...24...
Mon Jul 24 15:09:38 EDT 2000


> Following patch to spp_portscan.c will fix the incorrect time
> problem in portscan alerts:

Uhhh...

> > timestamp - the portscan pre-processor is logging the correct time.

Anyway, for whatever reason SPP works, probably due to
line 1188 (in CVS) where I force logging to local time.
This will be configurable as soon as I deliver on the 
mods I've been talking about.  If anyone wants to log
in GMT before I finish config file support, run the
following command:

sed s/"timeFormat = tLOCAL"/"timeFormat = tGMT"/ < spp_portscan.c \
> spp_portscan.c.tmp; mv spp_portscan.c.tmp spp_portscan.c

and recompile.  If you do the above successfully (meaning
neither you nor I made a typo and I didn't screw up the
syntax) let me know and I'll send you your prize.  If you
do this on a Windows machine, I'll be even more impressed. ;)

I have always used syslogd for alerts.  How are timestamps
handled when alerting elsewhere?  Is the current system
time used (as I expect), or is a packet pointer required.
My thought was a packet pointer was only needed if the
contents were to be logged somewhere, but is that incorrect?


Thanks, 

~Patrick




More information about the Snort-users mailing list