Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Snort 2.6 RC2, chroot, and localtime

From: "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>
Date: Thu, 11 May 2006 10:02:01 -0400
Forwarding James' responses to the list


-----Original Message-----
From:   James Lay [mailto:jlay () slave-tothe-box net]
Sent:   Thu 05/11/2006 08:39 AM
To:     Miner, Jonathan W (CSC) (US SSA)
Cc:     
Subject:        Re: [Snort-users] Snort 2.6 RC2, chroot, and localtime
On Thu, 11 May 2006 07:33:12 -0400
"Miner, Jonathan W \(CSC\) \(US SSA\)"
<jonathan.w.miner () baesystems com> wrote:




From:       snort-users-admin () lists sourceforge net on behalf of
James Lay Sent:     Wed 05/10/2006 09:55 PM
To: Snort
Subject:    [Snort-users] Snort 2.6 RC2, chroot, and localtime


Searched through the archives, but didnt' find anything to help me
out with this issue.  Snort logs exactly 8 hours behind my
timezone.  I've copied my /etc/localtime to the chroot environment,
but still no go. Anyone have any idea how to fix this?  Thanks!


James -

I don't have an answer, it would help if you could answer the
following, and post the answers back to the mailing list.  I've never
seem such behavior with Snort, but I have installed it under a chroot
environment either.

What timezone is your machine in? (Would you happen to be 8 hours
away from GMT, and Snort is logging times in GMT?)


My machine is in GMT-7, but with daylight savings I believe it's 8
hours away.


Where are you logging your alerts, and how are you viewing the
alerts? (Purhaps the viewer is displaying the 'wrong' timezone?)


I'm logging my alerts in syslog and in mysql.  Both show the different
timezone.  Example:

May 11 06:04:53 homeboxpostfix/qmgr[1010]:3F43D124846:from=<jonathan.w.miner () baesystems com>,
size=3090, nrcpt=1 (queueactive)

May 11 06:04:53 homebox postfix/local[19307]:3F43D124846:to=<jlay () slave-tothe-box net>, relay=local, delay=0,
status=sent (delivered to mailbox) 

May 11 06:04:53 homebox postfix/qmgr[1010]:3F43D124846: removed 

May 11 12:07:11 homebox snort[17100]:[1:2000537:3] BLEEDING-EDGE SCAN
NMAP -sS [Classification: Attempted Information Leak] [Priority: 2]:{TCP} 84.55.72.13:4103 ->71.39.117.84:6881 

May 11 12:07:11 homebox snort[17100]: [1:2000545:3]BLEEDING-EDGE SCAN
NMAP -f -sS [Classification: Attempted Information Leak] [Priority: 2]:{TCP} 84.55.72.13:4103 -> 71.39.117.84:6881

May 11 06:09:50 homebox postfix/smtpd[19288]: timeout after END-OF-MESSAGE from smtp4.na.baesystems.com[63.164.202.13] 

May 11 06:09:50 homebox postfix/smtpd[19288]: disconnect from smtp4.na.baesystems.com[63.164.202.13]


Which operating system? (I'm assuming some UNIX flavor...)


Yes...this is slackware linux =)  Hope that helps..and thank you.

James





-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: