[Snort-users] Anyone else seen this?

Kevin Brown Kevin.M.Brown at ...1022...
Tue Jun 19 15:30:26 EDT 2001


well, I spent some time looking into this little problem with my SQL
database and found something interesting about the alerts that don't have a
good timestamp.  After modifying the ACID frontend to let me select the year
2041 and run the graph for that year I looked at the alerts and every single
one was put into the database by the spp_portscan plugin.  So, it may be
that the portscan plugin is not outputting the correct time or between it
and the db output plugin the timestamp is getting mucked up.

-----Original Message-----
From: Kevin Brown [mailto:Kevin.M.Brown at ...1022...]
Sent: Thursday, June 14, 2001 15:43
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Anyone else seen this?


I currently have just one sensor on the network (that I control) logging to
a Postgresql (7.1) database.  I have been noticing that the dates being put
in the database do not always correspond with the actual time and was
wondering if anyone else is having this problem.

Running:
-*> Snort! <*-
Version 1.8-beta5 (Build 24)
on Solaris 8 (Netra T1 AC200, 500MHz Sparc)

Remote Database, Postgresql 7.1 running on RH6.2 kernel 2.2.16
Schema 102
Acid .9.6b10

Attached is a sampling of the output from the following SQL queries

snort=# select sid,cid,timestamp from event ORDER BY timestamp DESC;
snort=# select sid,cid,timestamp from event ORDER BY cid DESC;

Any help would be much appreciated.

Begin Geek Code;
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c
^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72, at z=(64,72,$a^=12*($_%
16
-2?0:$m&17)),$b^=$_%64?12:0, at z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$
h
=5;$_=unxb24,join"", at b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
(($h>>=8)+=$f+(~$g&$t))for at ...1981...[128..$#a]}print+x"C*", at a}';s/x/pack+/g;eval





More information about the Snort-users mailing list