[Snort-users] spp_portscan unproper timestamp in replay(-r option) procedure

Grigoris Vidakis gvidakis at ...7022...
Tue Oct 1 02:43:02 EDT 2002


hi all!
  i read a snort binary file which the -r option and the proper configuration file
so that snort will generate, again, the alerts.( all rules are including and the log plugings)
The problem which i have is that the timestamp of the portscans alerts 

spp_portscan: PORTSCAN DETECTED from XXX (THRESHOLD 4 connections exceeded in 0 seconds) [**]09/29-03:17:02.190148 
spp_portscan: End of portscan from XXX: TOTAL time(43s) hosts(102) TCP(4) UDP(106) [**]09/29-05:20:02.056458 
spp_portscan: portscan status from XXX: 10 connections across 10 hosts: TCP(2), UDP(8) [**]09/29-04:35:24.265486 

 which are generated, is not  the timestamp which the packets had been captured from snort, but the current time, that is, the time
which i run snort -r snortbinaryfile.
 Of cource i wan't the timestamp when the portscan took place, in the alert logging, not the timestamp when snort proceding again the snortbinaryfile
 
any idea about i can solve this problem?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021001/43a98b9b/attachment.html>


More information about the Snort-users mailing list