[Snort-users] Uh-oh... bad ftp login

Bill Marquette wlmarque at ...8...
Mon Oct 30 13:43:04 EST 2000

Jan, I noticed this with some of our snort sensors today (the few that we don't
kill -HUP every night).  I haven't poked through the source, but it appears to
be related to the time change we just went through this weekend.


From: Jan Muenther <jan at ...206...> on 10/30/2000 12:14 PM

To:   Gregor Binder <gbinder at ...462...>
      "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
Subject:  Re: [Snort-users] Uh-oh... bad ftp login


I don't know what to say....
It was just a problem with different time settings. Yes, I did
check that date gives the same results on both hosts before
posting... But somehow, there was an hour difference in the logs:
whilst my snort logs repoirted a bad login at 17:38 yesterday, my
ftp logs said the same for 16:38.

Does snort take the time stamp from the packets that the source
originated? That would explain the difference, since the guy in
France who tried an anonymous login (I wonder for what purpose...
gnrrr...) could very well have had his sysdate set to summer

My hosts should have had the same system time all the time...
should, I mean ;o))

Thank you all for your help, guess we all have to get back to
Lance&Co. for interesting case studies as usual ;o))

Cheers, jan

P.S.: Now I can go home in peace... ;o))
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...
Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list