[Snort-users] Drifting timestamps

M. Shirk shirkdog_linux at ...125...
Wed Oct 20 06:37:37 EDT 2004


In the default barnyard.conf, there is a setting to convert all timestamps 
to UTC

See the following:

# use localtime instead of UTC (*not* recommended because of timewarps)
#config localtime

This is the default for the configuration to use UTC. This might be it.

Shirkdog


>From: "Jacob Roberts" <jake_roberts at ...10077...>
>To: "Martin Roesch" <roesch at ...1935...>
>CC: <snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] Drifting timestamps
>Date: Mon, 18 Oct 2004 13:18:27 -0600
>
>We check the timezones and clocks of all the systems involved.  They are
>all correct and don't drift from day to day.
>
>They daily routine is to Stop barnyard, stop snort, drop the Mysql
>database(not just deleted the records), re-create the database, start
>snort, start barnyard.
>
>At the time everything is restarted the timestamps are in sync with
>correct time.  As the system runs the timestamps drift
>
>We've narrowed it down to on of the following:
>	1. Something weird in Snort (probably not)
>	2. Something in Barnyard (we've no idea)
>	3. Something in Mysql. (We've added a timestamp column to the
>event table and it auto-inserted correct timestamps. So we don't thing
>its Mysql)
>
>Could this be a Barnyard thing?
>
>-----Original Message-----
>From: Martin Roesch [mailto:roesch at ...1935...]
>Sent: Sunday, October 17, 2004 9:10 AM
>To: Jacob Roberts
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Drifting timestamps
>
>
>Hi Jake,
>
>That'd have to be the system clock on the sensor drifting, the
>timestamps that Snort uses is based on a call to gettimeofday() that
>libpcap performs when it receives a new packet.  Snort has no internal
>time tracking mechanisms and in fact we take advantage of the fact that
>libpcap gives us time data "for free" to track time inside Snort.
>
>        -Marty
>
>
>On Oct 15, 2004, at 6:50 PM, Jacob Roberts wrote:
>
> > We have a snort setup with barnyard which dumps in to a MySQL
> > database. We stop snort and barnyard each day, delete the database,
> > re-create it, then restart snort and barnyard.
> >
> > As snort runs through the day we start to see the timestamps of alerts
>
> > drift behind actual time.  We aren't receiving an excessive amount of
> > alerts so we ruled out Barnyard not being able to keep up with the
> > alerts generated by Snort (I don't know if that would happen anyways)
> >
> > Has anyone had anything like this happen?  We haven't been able to
> > track
> > it down and aren't sure what to do.
> >
> > Thanks,
> > Jake Roberts
> > Brigham Young University
> > jake_roberts at ...10077...
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IT Product Guide on
> > ITManagersJournal
> > Use IT products in your business? Tell us what you think of them. Give
>
> > us
> > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
>
> > more
> > http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
>--
>Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
>Sourcefire - Discover.  Determine.  Defend. roesch at ...1935... -
>http://www.sourcefire.com
>Snort: Open Source Network IDS - http://www.snort.org
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
>Use IT products in your business? Tell us what you think of them. Give us
>Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
>http://productguide.itmanagersjournal.com/guidepromo.tmpl
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and 
more! http://special.msn.com/msn/election2004.armx





More information about the Snort-users mailing list