[Snort-users] Uh-oh... bad ftp login

Jan Muenther jan at ...206...
Mon Oct 30 13:14:31 EST 2000


I don't know what to say....
It was just a problem with different time settings. Yes, I did
check that date gives the same results on both hosts before
posting... But somehow, there was an hour difference in the logs:
whilst my snort logs repoirted a bad login at 17:38 yesterday, my
ftp logs said the same for 16:38. 

Does snort take the time stamp from the packets that the source
originated? That would explain the difference, since the guy in
France who tried an anonymous login (I wonder for what purpose...
gnrrr...) could very well have had his sysdate set to summer

My hosts should have had the same system time all the time...
should, I mean ;o))

Thank you all for your help, guess we all have to get back to
Lance&Co. for interesting case studies as usual ;o))

Cheers, jan

P.S.: Now I can go home in peace... ;o)) 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...

More information about the Snort-users mailing list