[Snort-users] Bug with timestamp. Snort 1.8 and FreeBSD and ACID

roman at ...438... roman at ...438...
Tue Jun 19 09:42:25 EDT 2001


I'm skeptical that ACID garbled that date, since
it read it raw from the database.  More likely is
that this is how the timestamp was written to the
database.  Can you confirm this?

Run something like:

SELECT * FROM event WHERE sid=1 AND cid=3310

What is the format of the date?  Likewise, to
re-iterate the timestamps in the DB should read
12:32:37+02 ?

Roman

 
> 	Hello,
> 
> 	I'm using Snort 1.8, got from the CVS on June 13th,
> under FreeBSD 4.3, and ACID 9.6b10.
> 
> 	There is a problem with the timestamp. It is a common practice to keep the 
> system clock with the UTC time, having the system configured for the timezone 
> where you live. In my case, I am in CET, which is UTC+1; with the summer 
> time, it is CEST, UTC+2.
> 
> 	WHen I generate an alert, it is correctly timestamped in the "alert" file, 
> but in the Acid logs it has an incorrect time, which, curiously, is 2 plus 
> the correct time.
> 
> 	An example:
> 
> (from the alert log)
> 
> 06/19-12:32:37.558494 X.Y.Z.T:1674 -> A.B.C.D:111
> 06/19-12:32:39.393530 X.Y.Z.T:1678 -> A.B.C.D:111
> 
> (The same pasted from Acid)
> 
> #0-(1-3310) [arachNIDS] RPC portmap request rstatd 2001-06-19 14:32:39+02 
> 
> X.Y.Z.T:1678 
> A.B.C.D:111 
> 
> UDP
> 
> #1-(1-3309) 
> 
> [arachNIDS] RPC portmap request rstatd 2001-06-19 14:32:37+02 
> X.Y.Z.T:1674 
> A.B.C.D:111 
> 
> UDP
> 
> 
> 	Any ideas?
> 
> 
> 
> 	Best regards,
> 
> 
> 
> 
> 	Borja.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list