Snort mailing list archives
FW: Snort 2.6 RC2, chroot, and localtime
From: "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>
Date: Thu, 11 May 2006 10:02:01 -0400
Forwarding James' responses to the list -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Thu 05/11/2006 08:39 AM To: Miner, Jonathan W (CSC) (US SSA) Cc: Subject: Re: [Snort-users] Snort 2.6 RC2, chroot, and localtime On Thu, 11 May 2006 07:33:12 -0400 "Miner, Jonathan W \(CSC\) \(US SSA\)" <jonathan.w.miner () baesystems com> wrote:
From: snort-users-admin () lists sourceforge net on behalf of James Lay Sent: Wed 05/10/2006 09:55 PM To: Snort Subject: [Snort-users] Snort 2.6 RC2, chroot, and localtime Searched through the archives, but didnt' find anything to help me out with this issue. Snort logs exactly 8 hours behind my timezone. I've copied my /etc/localtime to the chroot environment, but still no go. Anyone have any idea how to fix this? Thanks!James - I don't have an answer, it would help if you could answer the following, and post the answers back to the mailing list. I've never seem such behavior with Snort, but I have installed it under a chroot environment either. What timezone is your machine in? (Would you happen to be 8 hours away from GMT, and Snort is logging times in GMT?)
My machine is in GMT-7, but with daylight savings I believe it's 8 hours away.
Where are you logging your alerts, and how are you viewing the alerts? (Purhaps the viewer is displaying the 'wrong' timezone?)
I'm logging my alerts in syslog and in mysql. Both show the different timezone. Example: May 11 06:04:53 homeboxpostfix/qmgr[1010]:3F43D124846:from=<jonathan.w.miner () baesystems com>, size=3090, nrcpt=1 (queueactive) May 11 06:04:53 homebox postfix/local[19307]:3F43D124846:to=<jlay () slave-tothe-box net>, relay=local, delay=0, status=sent (delivered to mailbox) May 11 06:04:53 homebox postfix/qmgr[1010]:3F43D124846: removed May 11 12:07:11 homebox snort[17100]:[1:2000537:3] BLEEDING-EDGE SCAN NMAP -sS [Classification: Attempted Information Leak] [Priority: 2]:{TCP} 84.55.72.13:4103 ->71.39.117.84:6881 May 11 12:07:11 homebox snort[17100]: [1:2000545:3]BLEEDING-EDGE SCAN NMAP -f -sS [Classification: Attempted Information Leak] [Priority: 2]:{TCP} 84.55.72.13:4103 -> 71.39.117.84:6881 May 11 06:09:50 homebox postfix/smtpd[19288]: timeout after END-OF-MESSAGE from smtp4.na.baesystems.com[63.164.202.13] May 11 06:09:50 homebox postfix/smtpd[19288]: disconnect from smtp4.na.baesystems.com[63.164.202.13]
Which operating system? (I'm assuming some UNIX flavor...)
Yes...this is slackware linux =) Hope that helps..and thank you. James ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.6 RC2, chroot, and localtime James Lay (May 10)
- Message not available
- Message not available
- FW: Snort 2.6 RC2, chroot, and localtime Miner, Jonathan W (CSC) (US SSA) (May 11)
- Message not available
- Message not available
- RE: Snort 2.6 RC2, chroot, and localtime Paul Melson (May 11)
- <Possible follow-ups>
- RE: Snort 2.6 RC2, chroot, and localtime Paul Melson (May 16)
- Re: Snort 2.6 RC2, chroot, and localtime James Lay (May 12)
- Message not available
- Re: Snort 2.6 RC2, chroot, and localtime James Lay (May 16)
- RE: Snort 2.6 RC2, chroot, and localtime Paul Melson (May 16)
- Re: Snort 2.6 RC2, chroot, and localtime James Lay (May 12)
- Re: Snort 2.6 RC2, chroot, and localtime James Lay (May 16)
- Re: Snort and FIX Protocol Martin Roesch (May 16)