[Snort-users] date search in acid

Roeland Weve roeland at ...1415...
Thu Apr 5 03:55:21 EDT 2001


Hi Roman,

< Signature>                       < Tot >     Src. Dst.  < First
>             < Last >
[arachNIDS] ICMP L3retriever Ping      3 (0%)  2    2  2001-04-05
03:24:15  2001-04-05 09:31:08 
[arachNIDS] TELNET login incorrect     1 (0%)  1    1  2001-04-05
01:01:24  2001-04-05 01:01:24 
[arachNIDS] RPC portmap request rstatd 5 (0%)  2    3  2001-04-05
00:14:34  2001-04-05 06:04:10 
[arachNIDS] SMTP relaying denied       63 (0%) 16  26  2001-04-05
00:01:02  2001-04-05 09:33:02 
[arachNIDS] FTP EXPLOIT format string  4 (0%)  1    4  2001-04-05
02:27:29  2001-04-05 02:27:31 

 Here are some examples from my Snort database. 
As you can see they happened all on 2001-04-05, between 00:01:02 and
09:33:02.
But now, when I am doing a database search:
Meta Criteria
              ( time >= [ 04 / 4 / 2001 ] [00 : 01 : 00 )AND]
              ( time <= [ 04 / 5 / 2001 ] [9 : 33 : 00 ) ]

I cannot find anything... but when I do another searched, based on OR, I
do get some (good) results...
I get good results with this query:
What I mean with good, is that I get the results I want 'between' those
two given date and time.
              ( time >= [ 04 / 5 / 2001 ] [00 : 01 : 00 )OR]
              ( time <= [ 04 / 5 / 2001 ] [9 : 33 : 00 ) ]

What's the difference between AND and OR?
When I change the time from 00 : 01 : 00 to 7 : 01 : 00 I do get results
that should be correctly to the query: results bigger then the first
given time and smaller then the second given time.
		( time >= [ 04 / 5 / 2001 ] [7 : 01 : 00 )OR]
              ( time <= [ 04 / 5 / 2001 ] [9 : 33 : 00 ) ]

I really do not get it, there is something wrong, but I don't know what.
I hope you can fix it,

Roeland




More information about the Snort-users mailing list