FW: [Snort-users] Snort 2.6 RC2, chroot, and localtime

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...11338...
Thu May 11 07:03:03 EDT 2006


Forwarding James' responses to the list


-----Original Message-----
From:	James Lay [mailto:jlay at ...13475...]
Sent:	Thu 05/11/2006 08:39 AM
To:	Miner, Jonathan W (CSC) (US SSA)
Cc:	
Subject:	Re: [Snort-users] Snort 2.6 RC2, chroot, and localtime
On Thu, 11 May 2006 07:33:12 -0400
"Miner, Jonathan W \(CSC\) \(US SSA\)"
<jonathan.w.miner at ...11338...> wrote:

> 
> > From:	snort-users-admin at lists.sourceforge.net on behalf of
> > James Lay Sent:	Wed 05/10/2006 09:55 PM
> > To:	Snort
> > Subject:	[Snort-users] Snort 2.6 RC2, chroot, and localtime
> >
> >
> > Searched through the archives, but didnt' find anything to help me
> > out with this issue.  Snort logs exactly 8 hours behind my
> > timezone.  I've copied my /etc/localtime to the chroot environment,
> > but still no go. Anyone have any idea how to fix this?  Thanks!
> 
> James -
> 
> I don't have an answer, it would help if you could answer the
> following, and post the answers back to the mailing list.  I've never
> seem such behavior with Snort, but I have installed it under a chroot
> environment either.
> 
> What timezone is your machine in? (Would you happen to be 8 hours
> away from GMT, and Snort is logging times in GMT?)
> 
My machine is in GMT-7, but with daylight savings I believe it's 8
hours away.

> Where are you logging your alerts, and how are you viewing the
> alerts? (Purhaps the viewer is displaying the 'wrong' timezone?)
> 
I'm logging my alerts in syslog and in mysql.  Both show the different
timezone.  Example:

May 11 06:04:53 homeboxpostfix/qmgr[1010]:3F43D124846:from=<jonathan.w.miner at ...11338...>,
size=3090, nrcpt=1 (queueactive)

May 11 06:04:53 homebox postfix/local[19307]:3F43D124846:to=<jlay at ...13810...5...>, relay=local, delay=0,
status=sent (delivered to mailbox) 

May 11 06:04:53 homebox postfix/qmgr[1010]:3F43D124846: removed 

May 11 12:07:11 homebox snort[17100]:[1:2000537:3] BLEEDING-EDGE SCAN
NMAP -sS [Classification: Attempted Information Leak] [Priority: 2]:{TCP} 84.55.72.13:4103 ->71.39.117.84:6881 

May 11 12:07:11 homebox snort[17100]: [1:2000545:3]BLEEDING-EDGE SCAN
NMAP -f -sS [Classification: Attempted Information Leak] [Priority: 2]:{TCP} 84.55.72.13:4103 -> 71.39.117.84:6881

May 11 06:09:50 homebox postfix/smtpd[19288]: timeout after END-OF-MESSAGE from smtp4.na.baesystems.com[63.164.202.13] 

May 11 06:09:50 homebox postfix/smtpd[19288]: disconnect from smtp4.na.baesystems.com[63.164.202.13]

> Which operating system? (I'm assuming some UNIX flavor...)
> 
Yes...this is slackware linux =)  Hope that helps..and thank you.

James







More information about the Snort-users mailing list