flow-portscan, pcap files, and timestamps..

[Erik Fichtner <emf () servervault com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all.. I'm having a little issue with flow-portscan that's driving me
bonkers...     See, I'm using an offline pcap file, and flow-portscan keeps
reporting detected portscans with current time values, not the time that
they actually happened based on the current time values from the pcap file.

I took a quick look into flowps.c and it appears to be trying to use the
packet timestamps, so I'm not entirely sure where it's deciding to get
the wrong timestamp from, although I suspect somewhere along the output
chain of GenerateSnortEvent() there's a shortcut someone took to call 
localtime() instead of keeping a running clock internally.  :(   

Has anyone else been down this, or a similar path with anything resembling
success?    I'm not entirely sure how, or even if, this can be fixed, 
but since the other plugins don't seem to have this problem, I still have some
hope.

Any pointers at all would be appreciated.

Thanks....

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFAaZxkQ7EzrewLMS0RAkkrAKCSN9vGA6j1ZrSFtftqm4Mn5/ACkgCgn1Fy
9T9oJB1XzX06Behwhc22y2E=
=8ilj
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users