Snort mailing list archives
RE: timezone whackiness with snort/postgresql database...
From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>
Date: Fri, 8 Aug 2003 13:35:42 -0500
Hmmm. That's a strange one. I found a similar problem here http://archives.postgresql.org/pgsql-bugs/2002-07/msg00117.php. However, that was in an older version. Can you do this: Run psql, and at the prompt for your snort database type "\set" (without the quotes). Do you see TIMEZONE set to anything? Also, at the psql prompt, run a "\d event" and check the data type for timestamp column. It should be "timestamp without time zone" - is it? Andrew Hutchinson - Network Security Vanderbilt University Medical Center (615) 936-2856
-----Original Message----- From: Matthew Whitworth [mailto:matthew () okcomputer org] Sent: Friday, August 08, 2003 1:55 AM To: snort-users () lists sourceforge net Subject: [Snort-users] timezone whackiness with snort/postgresql database... I just set up a snort sensor logging to a postgresql database (on the same host) and noticed that the alerts in the database have timestamps seven hours earlier than their timestamps in the snort alert file. The seven hours is interesting because that's my current offset from GMT -- only in the opposite direction! Here are two views of the same sets of alerts: # grep ":51:" /var/log/snort/alert 08/07-06:51:07.353985 64.52.50.201:1511 -> xx.xx.xx.xx:80 08/07-06:51:07.454513 64.52.50.201:1511 -> xx.xx.xx.xx:80 08/07-17:51:46.835660 204.60.156.2:3401 -> xx.xx.xx.xx:80 08/07-17:51:50.357658 204.60.156.2:3413 -> xx.xx.xx.xx:80 08/07-17:51:53.848363 204.60.156.2:3429 -> xx.xx.xx.xx:80 08/07-17:51:54.383995 204.60.156.2:3433 -> xx.xx.xx.xx:80 08/07-17:51:54.988612 204.60.156.2:3436 -> xx.xx.xx.xx:80 08/07-17:51:56.545477 204.60.156.2:3439 -> xx.xx.xx.xx:80 08/07-17:51:57.016801 204.60.156.2:3441 -> xx.xx.xx.xx:80 08/07-17:51:57.529523 204.60.156.2:3443 -> xx.xx.xx.xx:80 $ psql snortdb -c "select * from event;" | grep ":51:" 1 | 36 | 11 | 2003-08-06 23:51:07-07 1 | 37 | 5 | 2003-08-06 23:51:07-07 1 | 53 | 16 | 2003-08-07 10:51:46-07 1 | 54 | 16 | 2003-08-07 10:51:50-07 1 | 55 | 16 | 2003-08-07 10:51:53-07 1 | 56 | 16 | 2003-08-07 10:51:54-07 1 | 57 | 16 | 2003-08-07 10:51:54-07 1 | 58 | 16 | 2003-08-07 10:51:56-07 1 | 59 | 16 | 2003-08-07 10:51:57-07 1 | 60 | 16 | 2003-08-07 10:51:57-07 Interestingly, postgresql knows what the real system time is: $ date && psql snortdb -c "select now();" Thu Aug 7 22:57:41 PDT 2003 now ------------------------------- 2003-08-07 22:57:41.457929-07 (1 row) I'm using Debian Linux (testing) with the hardware clock set to GMT and the OS set to use PST8PDT, snort 2.0.0 and postgresql 7.3.2. Anyone ever seen anything like this? Thanks in advance, Matthew ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet _072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- timezone whackiness with snort/postgresql database... Matthew Whitworth (Aug 08)
- <Possible follow-ups>
- RE: timezone whackiness with snort/postgresql database... Hutchinson, Andrew (Aug 08)
- Re: timezone whackiness with snort/postgresql database... Matthew Whitworth (Aug 08)