Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Snort timestamps off

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort timestamps off


Posted by PaulM on March 25, 2005 05:27:52

Has anybody experienced a problem similar to this?

Snort 2.3.2 (compiled with flexresp/libnet-1.0.2a and mysql) on RHEL4. Every now and then (consistently, but seemingly randomly) Snort's alert timestamps jump into the future by 6 hours. I have verified that time zone, OS time, and hardware time are all correct, no sync'ed via NTP. The time stamps are off by the same amount no matter which logging facility is used. Restarting Snort does not fix the problem, but rebooting the server does.

Thanks,
PaulM

Posted by PaulM on March 25, 2005 06:21:57

Also, I am not running snort with '-U' (UTC would be 6 hours in the future, so it may be related, but Snort is not configured to use UTC).

Posted by tha3dman on March 23, 2006 09:40:43

Man, Thats interesting, I'm using the -U option, and my timestamps are 6 hours in the future. If i dont put the -U option on, I will get a bunch of mysql errors like: database: mysql_error: Incorrect datetime value:

if i login to mysql and do select now();
it returns the correct time.

anyone have any ideas?

Posted by Joel_Esler on March 26, 2006 09:41:58

If you are using -U your timezones will be UTC.

Are you using barnyard at all? Just out of curiosity.

Posted by roberth on September 18, 2006 01:16:05

Hello, I have the same problems as described, my alerts get logged 2hours in the past,(GMT is -2 from real time, which makes me suppose snort is using GMT instead of real time) the -U option makes no change.
As Joel pointed out, I do use barnyard.

regards,

Robert

Posted by roberth on September 18, 2006 01:19:40

Well, just after posting previous message, I lookes at barnyard conf file and one of the first lines solves my problem: "config localtime"
houray!!!
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.