[Snort-users] Drifting timestamps

M. Shirk shirkdog_linux at ...125...
Thu Oct 21 15:11:18 EDT 2004


I had this issue on my sensor. My time would swing a couple of minutes every 
week, however, timestamps were close enough for me (personal sensor, not 
production). If timestamps are important, make sure you synch with a local 
time server.

Shirkdog


>From: Martin Roesch <roesch at ...1935...>
>To: "Jacob Roberts" <jake_roberts at ...10077...>
>CC: <snort-users at lists.sourceforge.net>
>Subject: Re: [Snort-users] Drifting timestamps
>Date: Sun, 17 Oct 2004 11:09:41 -0400
>
>Hi Jake,
>
>That'd have to be the system clock on the sensor drifting, the timestamps 
>that Snort uses is based on a call to gettimeofday() that libpcap performs 
>when it receives a new packet.  Snort has no internal time tracking 
>mechanisms and in fact we take advantage of the fact that libpcap gives us 
>time data "for free" to track time inside Snort.
>
>       -Marty
>
>
>On Oct 15, 2004, at 6:50 PM, Jacob Roberts wrote:
>
>>We have a snort setup with barnyard which dumps in to a MySQL database.
>>We stop snort and barnyard each day, delete the database, re-create it,
>>then restart snort and barnyard.
>>
>>As snort runs through the day we start to see the timestamps of alerts
>>drift behind actual time.  We aren't receiving an excessive amount of
>>alerts so we ruled out Barnyard not being able to keep up with the
>>alerts generated by Snort (I don't know if that would happen anyways)
>>
>>Has anyone had anything like this happen?  We haven't been able to track
>>it down and aren't sure what to do.
>>
>>Thanks,
>>Jake Roberts
>>Brigham Young University
>>jake_roberts at ...10077...
>>
>>
>>-------------------------------------------------------
>>This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
>>Use IT products in your business? Tell us what you think of them. Give us
>>Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out 
>>more
>>http://productguide.itmanagersjournal.com/guidepromo.tmpl
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>--
>Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
>Sourcefire - Discover.  Determine.  Defend.
>roesch at ...1935... - http://www.sourcefire.com
>Snort: Open Source Network IDS - http://www.snort.org
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
>Use IT products in your business? Tell us what you think of them. Give us
>Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
>http://productguide.itmanagersjournal.com/guidepromo.tmpl
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963





More information about the Snort-users mailing list