Snort mailing list archives
RE: Anyone else seen this?
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Tue, 19 Jun 2001 12:30:26 -0700
well, I spent some time looking into this little problem with my SQL database and found something interesting about the alerts that don't have a good timestamp. After modifying the ACID frontend to let me select the year 2041 and run the graph for that year I looked at the alerts and every single one was put into the database by the spp_portscan plugin. So, it may be that the portscan plugin is not outputting the correct time or between it and the db output plugin the timestamp is getting mucked up. -----Original Message----- From: Kevin Brown [mailto:Kevin.M.Brown () asu edu] Sent: Thursday, June 14, 2001 15:43 To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Anyone else seen this? I currently have just one sensor on the network (that I control) logging to a Postgresql (7.1) database. I have been noticing that the dates being put in the database do not always correspond with the actual time and was wondering if anyone else is having this problem. Running: -*> Snort! <*- Version 1.8-beta5 (Build 24) on Solaris 8 (Netra T1 AC200, 500MHz Sparc) Remote Database, Postgresql 7.1 running on RH6.2 kernel 2.2.16 Schema 102 Acid .9.6b10 Attached is a sampling of the output from the following SQL queries snort=# select sid,cid,timestamp from event ORDER BY timestamp DESC; snort=# select sid,cid,timestamp from event ORDER BY cid DESC; Any help would be much appreciated. Begin Geek Code; $_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c ^=( $m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72,@z=(64,72,$a^=12*($_% 16 -2?0:$m&17)),$b^=$_%64?12:0,@z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$ h =5;$_=unxb24,join"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$ d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^ $d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^ (($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;eval _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone else seen this? Kevin Brown (Jun 14)
- <Possible follow-ups>
- RE: Anyone else seen this? Kevin Brown (Jun 18)
- RE: Anyone else seen this? Kevin Brown (Jun 19)