[Snort-users] spp_portscan unproper timestamp in replay(-r option) procedure
gvidakis at ...7022...
Tue Oct 1 02:43:02 EDT 2002
i read a snort binary file which the -r option and the proper configuration file
so that snort will generate, again, the alerts.( all rules are including and the log plugings)
The problem which i have is that the timestamp of the portscans alerts
spp_portscan: PORTSCAN DETECTED from XXX (THRESHOLD 4 connections exceeded in 0 seconds) [**]09/29-03:17:02.190148
spp_portscan: End of portscan from XXX: TOTAL time(43s) hosts(102) TCP(4) UDP(106) [**]09/29-05:20:02.056458
spp_portscan: portscan status from XXX: 10 connections across 10 hosts: TCP(2), UDP(8) [**]09/29-04:35:24.265486
which are generated, is not the timestamp which the packets had been captured from snort, but the current time, that is, the time
which i run snort -r snortbinaryfile.
Of cource i wan't the timestamp when the portscan took place, in the alert logging, not the timestamp when snort proceding again the snortbinaryfile
any idea about i can solve this problem?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users