[Snort-users] UTC and chroot

Paul Melson psmelson at ...5068...
Mon Mar 28 06:49:32 EST 2005


I have recently upgraded a Snort sensor from 2.1.2 on RedHat 7.3 to 2.3.2 on
RHEL4.  Snort is logging to a MySQL database.  I would like to run Snort
chroot-ed, and was doing this before on the old sensor.  On the new sensor,
however, if I run Snort chroot-ed to its $HOME, it runs, but begins logging
to MySQL in UTC instead of local time.

If I start Snort with:

snort -c /opt/snort/etc/snort.conf -D -o -i eth1 -u snort -g snort -t
/opt/snort -N -l /opt/snort/var/log/snort

Then logging (it doesn't actually matter if it's syslog or MySQL, I just
happen to be using MySQL) is in UTC, which is in the future, causing all
kinds of problems when it comes time to do analysis.  The snort user's home
directory is /opt/snort and that uid has at least read permissions to every
find and directory in that path.  If I start Snort with:

snort -c /opt/snort/etc/snort.conf -D -o -i eth1 -u snort -g snort -N -l
/opt/snort/var/log/snort

Then logging is done in local time.  I'm stumped.  I would be grateful for
any ideas or suggestions.

Thanks,
PaulM







More information about the Snort-users mailing list