[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: Re: [Snort-devel] possible timestamp bug
From: Martin Roesch <roesch () sourcefire ! com>
Date: 2004-09-17 3:19:54
Message-ID: 7219F67B-0858-11D9-974F-000A95B3BC96 () sourcefire ! com
[Download RAW message or body]
Hi Paul,
We're not actively maintaining Snort on OpenBSD/Sparc64 at this time,
if anyone wants to support a port (or just do the port and submit it)
we'd be glad to take it.
-Marty
On Sep 16, 2004, at 3:50 PM, Paul Riggs wrote:
>
> Snort 2.2.0 on OpenBSD 3.5 on Sparc64 gives me bad timestamps.
> The
> timestamps in the alert file and portscan file are sort of random
> looking.
> I've run a cron job to add correct timestamps to the log file. Here's
> a
> short sample of just the timestamps, with MY timestamps first and last:
>
> ## Mon Sep 13 16:50:01 EDT 2004
> 09/13-11:04:12.000401 [**] [1:0:0] <snip>
> 09/13-11:05:01.000399 [**] [1:0:0] <snip>
> 09/13-04:13:19.000399 [**] [1:0:0] <snip>
> 09/13-17:07:54.000401 [**] [1:0:0] <snip>
> ## Mon Sep 13 16:55:01 EDT 2004
>
> E.g. sometime between 16:50 and 16:55 Snort reported four
> connections to our network.
> Timestamps when run with "-b" seem fine. Timestamps in the packet
> log files are the same as in the alert file.
> On OBSD 3.5 i386 it works fine - only sparc64 is incorrect.
>
> The month and day are usually good except during portscan
> detections, which always show 01/01:
>
> ## Tue Sep 14 09:05:01 EDT 2004
> 01/01-13:07:22.786306
> 01/01-13:07:26.837107
> 01/01-13:07:36.060679
> 01/01-13:07:42.478768
>
> Timestamps do look sequential when the alerts are very close
> together in time. (But they're still not correct.)
>
> Here's how I'm running snort, mostly:
>
> snort -D -c /etc/snort/snort.conf -U -A fast -h 192.168.1.0/24 -N -u
> snort
> -g snort
>
>
>
>
> I started checking the developer archives but the only close
> reference I've found is from August 10th, 2004. The patch listed
> didn't
> seem to fix the problem on my system:
>
> http://sourceforge.net/mailarchive/message.php?msg_id=9239605
>
> This has occurred as far back as OpenBSD 3.3 with older
> versions
> of Snort, too. I've done some googling but haven't found anything
> other
> than the above URL, so far.
>
>
> Grovelling and apologizing:
>
> I don't know whether you support this (obsd and/or sparc64)
> and I
> don't really even know that the problem is with snort. I poked around
> with util.c but I don't know C and the structures and pointers are
> beyond
> me. If anyone is interested in the problem I'll be happy to provide
> more
> information or test things. I didn't see any guidelines for bug
> reports -
> sorry if I've missed anything critical.
>
>
> --
>
> Paul Riggs
> pnr35@pop.psu.edu
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic