[Snort-users] Drifting timestamps

Martin Roesch roesch at ...1935...
Thu Oct 21 12:14:17 EDT 2004


Hi Jacob,

It could be but IIRC Barnyard is just reading the timestamps from the 
unified files for its insertions.  I just checked the code and 
Barnyard's ACID database plugin gets timestamps from the unified file.  
Might be MySQL, but that would be weird...

      -Marty

On Oct 18, 2004, at 3:18 PM, Jacob Roberts wrote:

> We check the timezones and clocks of all the systems involved.  They 
> are
> all correct and don't drift from day to day.
>
> They daily routine is to Stop barnyard, stop snort, drop the Mysql
> database(not just deleted the records), re-create the database, start
> snort, start barnyard.
>
> At the time everything is restarted the timestamps are in sync with
> correct time.  As the system runs the timestamps drift
>
> We've narrowed it down to on of the following:
> 	1. Something weird in Snort (probably not)
> 	2. Something in Barnyard (we've no idea)
> 	3. Something in Mysql. (We've added a timestamp column to the
> event table and it auto-inserted correct timestamps. So we don't thing
> its Mysql)
>
> Could this be a Barnyard thing?
>
> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...1935...]
> Sent: Sunday, October 17, 2004 9:10 AM
> To: Jacob Roberts
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Drifting timestamps
>
>
> Hi Jake,
>
> That'd have to be the system clock on the sensor drifting, the
> timestamps that Snort uses is based on a call to gettimeofday() that
> libpcap performs when it receives a new packet.  Snort has no internal
> time tracking mechanisms and in fact we take advantage of the fact that
> libpcap gives us time data "for free" to track time inside Snort.
>
>        -Marty
>
>
> On Oct 15, 2004, at 6:50 PM, Jacob Roberts wrote:
>
>> We have a snort setup with barnyard which dumps in to a MySQL
>> database. We stop snort and barnyard each day, delete the database,
>> re-create it, then restart snort and barnyard.
>>
>> As snort runs through the day we start to see the timestamps of alerts
>
>> drift behind actual time.  We aren't receiving an excessive amount of
>> alerts so we ruled out Barnyard not being able to keep up with the
>> alerts generated by Snort (I don't know if that would happen anyways)
>>
>> Has anyone had anything like this happen?  We haven't been able to
>> track
>> it down and aren't sure what to do.
>>
>> Thanks,
>> Jake Roberts
>> Brigham Young University
>> jake_roberts at ...10077...
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: IT Product Guide on
>> ITManagersJournal
>> Use IT products in your business? Tell us what you think of them. Give
>
>> us
>> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
>
>> more
>> http://productguide.itmanagersjournal.com/guidepromo.tmpl
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
> -- 
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Discover.  Determine.  Defend. roesch at ...1935... -
> http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list