Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New Conundrum

From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Thu, 10 May 2001 13:15:30 -0700
OK, did some more digging and I'm still under the impression that
something's not right.  I finally figured out that for each sensor it
creates a new cid entry in the event table that is unique only against the
sid (e.g. if you have 4 sensors logging you could have four rows with a cid
of 1000 with a unique sid attached to each).  So with that in hand I did a
select statement to find the cids for just the sun box and came up with:

 sid |  cid   | signature |       timestamp        
-----+--------+-----------+------------------------
   3 |     30 | 424       | 2001-05-09 05:07:40-07
   3 |     31 | 424       | 2001-05-09 05:07:40-07
   3 |     32 | 668       | 2001-05-14 02:10:41-07      <----
   3 |     33 | 424       | 2001-05-09 05:07:41-07
   3 |     34 | 5538      | 2001-05-09 05:07:41-07
   3 |     35 | 1250      | 2001-05-14 02:10:42-07      <----
   3 |     36 | 424       | 2001-05-09 05:07:42-07
   3 |     37 | 424       | 2001-05-09 05:07:42-07
   3 |     38 | 424       | 2001-05-09 05:07:42-07
   3 |     39 | 424       | 2001-05-09 05:07:42-07
   3 |     40 | 424       | 2001-05-09 05:07:42-07
   3 |     41 | 5541      | 2001-01-28 22:19:42-07      <----
   3 |     42 | 1053      | 2001-05-14 02:10:43-07      <----

Notice that the timestamp field jumps around in date even though the Cid of
the events are sequential.  I don't know where this problem is introduced,
but it doesn't seem to have happened to the Linux (RH6.2 kernel 2.2.19) box
that was in the wild.


-----Original Message-----
From: Kevin Brown [mailto:Kevin.M.Brown () asu edu]
Sent: Wednesday, May 09, 2001 16:03
To: snort-users () lists sourceforge net
Subject: [Snort-users] New Conundrum

Got a new little thing I found.  I just finished putting that Netra T1 into
place to begin testing.  I have it logging to the same database as the PII
450 that was out there.  I went looking through the database to verify that
it is indeed logging and found that the timestamp for the events being
logged by the Sun box are 5 days behind today (5/4/2001).  I discovered this
by just doing a "select timestamp from event where cid = <count of rows>;".

The box has the following on it. 
Solaris 8 
psql 7.0.3 (for the shared libs to send data to a remote sql box) 
snort 1.8b4 (build 14) 

running date returns the following: Wed May  9 15:58:05 MST 2001 
which is only off by a minute or less from current local time. 

The linux box that had been there (PII 450) last logged a packet at 10:44AM,
Wed May 9 which is the time that I shut it down to put the Sun in its place.
Previous By Date Next
Previous By Thread Next

Current thread: