Snort mailing list archives

timezone whackiness with snort/postgresql database...

From: Matthew Whitworth <matthew () okcomputer org>
Date: Thu, 07 Aug 2003 23:54:48 -0700

I just set up a snort sensor logging to a postgresql database (on thesame host) and noticed that the alerts in the database have timestampsseven hours earlier than their timestamps in the snort alert file. Theseven hours is interesting because that's my current offset from GMT --only in the opposite direction!


Here are two views of the same sets of alerts:

# grep ":51:" /var/log/snort/alert
08/07-06:51:07.353985 64.52.50.201:1511 -> xx.xx.xx.xx:80
08/07-06:51:07.454513 64.52.50.201:1511 -> xx.xx.xx.xx:80
08/07-17:51:46.835660 204.60.156.2:3401 -> xx.xx.xx.xx:80
08/07-17:51:50.357658 204.60.156.2:3413 -> xx.xx.xx.xx:80
08/07-17:51:53.848363 204.60.156.2:3429 -> xx.xx.xx.xx:80
08/07-17:51:54.383995 204.60.156.2:3433 -> xx.xx.xx.xx:80
08/07-17:51:54.988612 204.60.156.2:3436 -> xx.xx.xx.xx:80
08/07-17:51:56.545477 204.60.156.2:3439 -> xx.xx.xx.xx:80
08/07-17:51:57.016801 204.60.156.2:3441 -> xx.xx.xx.xx:80
08/07-17:51:57.529523 204.60.156.2:3443 -> xx.xx.xx.xx:80

$ psql snortdb -c "select * from event;" | grep ":51:"
  1 |  36 |        11 | 2003-08-06 23:51:07-07
  1 |  37 |         5 | 2003-08-06 23:51:07-07
  1 |  53 |        16 | 2003-08-07 10:51:46-07
  1 |  54 |        16 | 2003-08-07 10:51:50-07
  1 |  55 |        16 | 2003-08-07 10:51:53-07
  1 |  56 |        16 | 2003-08-07 10:51:54-07
  1 |  57 |        16 | 2003-08-07 10:51:54-07
  1 |  58 |        16 | 2003-08-07 10:51:56-07
  1 |  59 |        16 | 2003-08-07 10:51:57-07
  1 |  60 |        16 | 2003-08-07 10:51:57-07

Interestingly, postgresql knows what the real system time is:

$ date && psql snortdb -c "select now();"
Thu Aug  7 22:57:41 PDT 2003

now-------------------------------

2003-08-07 22:57:41.457929-07
(1 row)

I'm using Debian Linux (testing) with the hardware clock set to GMT andthe OS set to use PST8PDT, snort 2.0.0 and postgresql 7.3.2. Anyoneever seen anything like this?


Thanks in advance,

Matthew



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

timezone whackiness with snort/postgresql database... Matthew Whitworth (Aug 08)
- <Possible follow-ups>
- RE: timezone whackiness with snort/postgresql database... Hutchinson, Andrew (Aug 08)
  - Re: timezone whackiness with snort/postgresql database... Matthew Whitworth (Aug 08)