Snort mailing list archives
RE: New Conundrum
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Thu, 10 May 2001 13:15:30 -0700
OK, did some more digging and I'm still under the impression that something's not right. I finally figured out that for each sensor it creates a new cid entry in the event table that is unique only against the sid (e.g. if you have 4 sensors logging you could have four rows with a cid of 1000 with a unique sid attached to each). So with that in hand I did a select statement to find the cids for just the sun box and came up with: sid | cid | signature | timestamp -----+--------+-----------+------------------------ 3 | 30 | 424 | 2001-05-09 05:07:40-07 3 | 31 | 424 | 2001-05-09 05:07:40-07 3 | 32 | 668 | 2001-05-14 02:10:41-07 <---- 3 | 33 | 424 | 2001-05-09 05:07:41-07 3 | 34 | 5538 | 2001-05-09 05:07:41-07 3 | 35 | 1250 | 2001-05-14 02:10:42-07 <---- 3 | 36 | 424 | 2001-05-09 05:07:42-07 3 | 37 | 424 | 2001-05-09 05:07:42-07 3 | 38 | 424 | 2001-05-09 05:07:42-07 3 | 39 | 424 | 2001-05-09 05:07:42-07 3 | 40 | 424 | 2001-05-09 05:07:42-07 3 | 41 | 5541 | 2001-01-28 22:19:42-07 <---- 3 | 42 | 1053 | 2001-05-14 02:10:43-07 <---- Notice that the timestamp field jumps around in date even though the Cid of the events are sequential. I don't know where this problem is introduced, but it doesn't seem to have happened to the Linux (RH6.2 kernel 2.2.19) box that was in the wild. -----Original Message----- From: Kevin Brown [mailto:Kevin.M.Brown () asu edu] Sent: Wednesday, May 09, 2001 16:03 To: snort-users () lists sourceforge net Subject: [Snort-users] New Conundrum Got a new little thing I found. I just finished putting that Netra T1 into place to begin testing. I have it logging to the same database as the PII 450 that was out there. I went looking through the database to verify that it is indeed logging and found that the timestamp for the events being logged by the Sun box are 5 days behind today (5/4/2001). I discovered this by just doing a "select timestamp from event where cid = <count of rows>;". The box has the following on it. Solaris 8 psql 7.0.3 (for the shared libs to send data to a remote sql box) snort 1.8b4 (build 14) running date returns the following: Wed May 9 15:58:05 MST 2001 which is only off by a minute or less from current local time. The linux box that had been there (PII 450) last logged a packet at 10:44AM, Wed May 9 which is the time that I shut it down to put the Sun in its place.
Current thread:
- New Conundrum Kevin Brown (May 09)
- <Possible follow-ups>
- RE: New Conundrum Kevin Brown (May 10)