[Snort-users] Question..

Chris Keladis Chris.Keladis at ...2783...
Sat Sep 15 23:15:03 EDT 2001


Hi folks,

I'm running many Snort sensors (some 1.8, some 1.8.1) across boxes all
over  the world in many different timezones.

I also use Demarc 1.05-RC1 and it works well, except for one small
annoyance.

The time of the alerts appears to be local, and i'm seeing alerts from
all sorts of time-zones in Demarc (even negatives), which makes it
troublesome to ascertain when an event occured.

I was wondering if the appropriate pre-processor could have an option to
output alerts in Epoch ticks, and i could have the Demarc station
convert it to local time, so i could get meaningfull events? (When i
need to perform forensics i can always convert the time into local (to
the sensor) and match it up with machine(s) logs, if need be).

It's not an option to (re)set the time-zone of the sensors, as the
machines serve other purposes as well, and need their local time to
function correctly.

I've also skimmed the FAQ to see if this has come up before but came up
with nothing..

Anyone have any ideas/advice/pros/cons?




Regards,

Chris.




More information about the Snort-users mailing list