[Snort-users] Help with setup

Roman Danyliw roman at ...438...
Mon Jan 15 17:08:18 EST 2001


Mitch,

[snip]
> Using ACID to access the database, 
> I get a timestamp of "0000-00-00 00:00:00" for any query I run.

This seems a bit odd.  Lets try to isolate where the error is
occuring: ACID, DB plug-in, or Snort-proper.  

Have you confirmed that the alerts are being written to the database with
the correct timestamp?  For example, from the mysql command-line client
type:

  %  mysql -u <snort DB name> -p <snort password> <snort DB name>

  mysql> SELECT * FROM event LIMIT 0,2;

+-----+-------+---------------------------------+---------------------+
| sid | cid   | signature                       | timestamp           |
+-----+-------+---------------------------------+---------------------+
|   1 |     1 | UDP                             | 2000-07-29 10:05:05 |
|   1 |     2 | UDP                             | 2000-07-29 10:05:05 |
|----------------------------------------------------------------------

What does the timestamp read?  Is it all 0s as well?  If not, there is an
issue with the ACID translation, otherwise (if the timestamps are also
0s), the DB plug-in might need to be scrutinized because the time were
not correctly written.

cheers,
Roman





More information about the Snort-users mailing list