Forwarding James' responses to the list
-----Original Message-----
From: James Lay [mailto:jlay@slave-tothe-box.net]
Sent: Thu 05/11/2006 08:39 AM
To: Miner, Jonathan W (CSC) (US SSA)
Cc:
Subject: Re: [Snort-users] Snort 2.6 RC2, chroot, and localtime
On Thu, 11 May 2006 07:33:12 -0400
"Miner, Jonathan W \(CSC\) \(US SSA\)"
<jonathan.w.miner@baesystems.com> wrote:
From: snort-users-admin@lists.sourceforge.net on behalf of
James Lay Sent: Wed 05/10/2006 09:55 PM
To: Snort
Subject: [Snort-users] Snort 2.6 RC2, chroot, and localtime
Searched through the archives, but didnt' find anything to help me
out with this issue. Snort logs exactly 8 hours behind my
timezone. I've copied my /etc/localtime to the chroot environment,
but still no go. Anyone have any idea how to fix this? Thanks!
James -
I don't have an answer, it would help if you could answer the
following, and post the answers back to the mailing list. I've never
seem such behavior with Snort, but I have installed it under a chroot
environment either.
What timezone is your machine in? (Would you happen to be 8 hours
away from GMT, and Snort is logging times in GMT?)
My machine is in GMT-7, but with daylight savings I believe it's 8
hours away.
Where are you logging your alerts, and how are you viewing the
alerts? (Purhaps the viewer is displaying the 'wrong' timezone?)
I'm logging my alerts in syslog and in mysql. Both show the different
timezone. Example:
May 11 06:04:53
homeboxpostfix/qmgr[1010]:3F43D124846:from=<jonathan.w.miner@baesystems.com>,
size=3090, nrcpt=1 (queueactive)
May 11 06:04:53 homebox
postfix/local[19307]:3F43D124846:to=<jlay@slave-tothe-box.net>, relay=local,
delay=0,
status=sent (delivered to mailbox)
May 11 06:04:53 homebox postfix/qmgr[1010]:3F43D124846: removed
May 11 12:07:11 homebox snort[17100]:[1:2000537:3] BLEEDING-EDGE SCAN
NMAP -sS [Classification: Attempted Information Leak] [Priority: 2]:{TCP}
84.55.72.13:4103 ->71.39.117.84:6881
May 11 12:07:11 homebox snort[17100]: [1:2000545:3]BLEEDING-EDGE SCAN
NMAP -f -sS [Classification: Attempted Information Leak] [Priority: 2]:{TCP}
84.55.72.13:4103 -> 71.39.117.84:6881
May 11 06:09:50 homebox postfix/smtpd[19288]: timeout after END-OF-MESSAGE from
smtp4.na.baesystems.com[63.164.202.13]
May 11 06:09:50 homebox postfix/smtpd[19288]: disconnect from
smtp4.na.baesystems.com[63.164.202.13]
Which operating system? (I'm assuming some UNIX flavor...)
Yes...this is slackware linux =) Hope that helps..and thank you.
James
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
