FW: [Snort-users] Snort 2.6 RC2, chroot, and localtime
Miner, Jonathan W (CSC) (US SSA)
-----Original Message-----
From: James Lay [mailto:jl...@slave-tothe-box.net]
Sent: Thu 05/11/2006 08:39 AM
To: Miner, Jonathan W (CSC) (US SSA)
Cc:=09
Subject: Re: [Snort-users] Snort 2.6 RC2, chroot, and localtime
On Thu, 11 May 2006 07:33:12 -0400
"Miner, Jonathan W \(CSC\) \(US SSA\)"
<jonathan...@baesystems.com> wrote:
>=20
> > From: snort-us...@lists.sourceforge.net on behalf of
> > James Lay Sent: Wed 05/10/2006 09:55 PM
> > To: Snort
> > Subject: [Snort-users] Snort 2.6 RC2, chroot, and localtime
> >
> >
> > Searched through the archives, but didnt' find anything to help me
> > out with this issue. Snort logs exactly 8 hours behind my
> > timezone. I've copied my /etc/localtime to the chroot environment,
> > but still no go. Anyone have any idea how to fix this? Thanks!
>=20
> James -
>=20
> I don't have an answer, it would help if you could answer the
> following, and post the answers back to the mailing list. I've never
> seem such behavior with Snort, but I have installed it under a chroot
> environment either.
>=20
> What timezone is your machine in? (Would you happen to be 8 hours
> away from GMT, and Snort is logging times in GMT?)
>=20
My machine is in GMT-7, but with daylight savings I believe it's 8
hours away.
> Where are you logging your alerts, and how are you viewing the
> alerts? (Purhaps the viewer is displaying the 'wrong' timezone?)
>=20
I'm logging my alerts in syslog and in mysql. Both show the different
timezone. Example:
May 11 06:04:53 =
homeboxpostfix/qmgr[1010]:3F43D124846:from=3D<jonathan.w.miner@baesystems=
.com>,
size=3D3090, nrcpt=3D1 (queueactive)
May 11 06:04:53 homebox =
postfix/local[19307]:3F43D124846:to=3D<jl...@slave-tothe-box.net>, =
relay=3Dlocal, delay=3D0,
status=3Dsent (delivered to mailbox)=20
May 11 06:04:53 homebox postfix/qmgr[1010]:3F43D124846: removed=20
May 11 12:07:11 homebox snort[17100]:[1:2000537:3] BLEEDING-EDGE SCAN
NMAP -sS [Classification: Attempted Information Leak] [Priority: =
2]:{TCP} 84.55.72.13:4103 ->71.39.117.84:6881=20
May 11 12:07:11 homebox snort[17100]: [1:2000545:3]BLEEDING-EDGE SCAN
NMAP -f -sS [Classification: Attempted Information Leak] [Priority: =
2]:{TCP} 84.55.72.13:4103 -> 71.39.117.84:6881
May 11 06:09:50 homebox postfix/smtpd[19288]: timeout after =
END-OF-MESSAGE from smtp4.na.baesystems.com[63.164.202.13]=20
May 11 06:09:50 homebox postfix/smtpd[19288]: disconnect from =
smtp4.na.baesystems.com[63.164.202.13]
> Which operating system? (I'm assuming some UNIX flavor...)
>=20
Yes...this is slackware linux =3D) Hope that helps..and thank you.
James
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users