Question..

[Chris Keladis <Chris.Keladis () cmc cwo net au>]

Hi folks,

I'm running many Snort sensors (some 1.8, some 1.8.1) across boxes all
over  the world in many different timezones.

I also use Demarc 1.05-RC1 and it works well, except for one small
annoyance.

The time of the alerts appears to be local, and i'm seeing alerts from
all sorts of time-zones in Demarc (even negatives), which makes it
troublesome to ascertain when an event occured.

I was wondering if the appropriate pre-processor could have an option to
output alerts in Epoch ticks, and i could have the Demarc station
convert it to local time, so i could get meaningfull events? (When i
need to perform forensics i can always convert the time into local (to
the sensor) and match it up with machine(s) logs, if need be).

It's not an option to (re)set the time-zone of the sensors, as the
machines serve other purposes as well, and need their local time to
function correctly.

I've also skimmed the FAQ to see if this has come up before but came up
with nothing..

Anyone have any ideas/advice/pros/cons?




Regards,

Chris.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users