I am currently configuring several Win2k Pro based Snort sensors for
placement a key locations in our network.

Having followed the instructions from Silicon Defense, for Win32 Snort 1.8.3
with MySQL/IIS/ACID, all appeared to be well and alerts are captured to the
DB.

However, when reviewing the alerts (via ACID or direct from the MySQL DB) I
notice that the datestamps do not reflect the time that the alert was
generated. It appears to increment the time stamp by some random amount. For
example, starting a run of approx 100 large ping attempts at a host - the
first alerts was logged at 14:00 5th Feb 2002, the last alert had a
timestamp of something like 06:00 6th Feb 2002 - all for an event which
lasted a couple of minutes.

I since left the scanner running overnight to be presented with the last
alert logged with a date in April 2002 !!

I tried adding a second hard disk to the machine and moving the MySQL DB and
Snort to the new drive away from W2k and the swapfile. But this has not
helped.

Has anybody experienced this behaviour before, or have any suggestion of how
to rectify this??

Thanks in advance

Stuart Underhill

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]