I just set up a Debian snort sensor logging to a postgresql database (on
the same host) and noticed that the alerts in the database have
timestamps seven hours earlier than their timestamps in the snort alert
file. The seven hours is interesting because that's my current offset
from GMT -- only in the opposite direction!
Here are two views of the same sets of alerts:
# grep ":51:" /var/log/snort/alert
08/07-06:51:07.353985 64.52.50.201:1511 -> xx.xx.xx.xx:80
08/07-06:51:07.454513 64.52.50.201:1511 -> xx.xx.xx.xx:80
08/07-17:51:46.835660 204.60.156.2:3401 -> xx.xx.xx.xx:80
08/07-17:51:50.357658 204.60.156.2:3413 -> xx.xx.xx.xx:80
08/07-17:51:53.848363 204.60.156.2:3429 -> xx.xx.xx.xx:80
08/07-17:51:54.383995 204.60.156.2:3433 -> xx.xx.xx.xx:80
08/07-17:51:54.988612 204.60.156.2:3436 -> xx.xx.xx.xx:80
08/07-17:51:56.545477 204.60.156.2:3439 -> xx.xx.xx.xx:80
08/07-17:51:57.016801 204.60.156.2:3441 -> xx.xx.xx.xx:80
08/07-17:51:57.529523 204.60.156.2:3443 -> xx.xx.xx.xx:80
$ psql snortdb -c "select * from event;" | grep ":51:"
1 | 36 | 11 | 2003-08-06 23:51:07-07
1 | 37 | 5 | 2003-08-06 23:51:07-07
1 | 53 | 16 | 2003-08-07 10:51:46-07
1 | 54 | 16 | 2003-08-07 10:51:50-07
1 | 55 | 16 | 2003-08-07 10:51:53-07
1 | 56 | 16 | 2003-08-07 10:51:54-07
1 | 57 | 16 | 2003-08-07 10:51:54-07
1 | 58 | 16 | 2003-08-07 10:51:56-07
1 | 59 | 16 | 2003-08-07 10:51:57-07
1 | 60 | 16 | 2003-08-07 10:51:57-07
Interestingly, postgresql knows what the real system time is:
$ date && psql snortdb -c "select now();"
Thu Aug 7 22:57:41 PDT 2003
now -------------------------------
2003-08-07 22:57:41.457929-07
(1 row)
The hardware clock is set to GMT and the OS is set to use the PST8PDT
time zone. I'm using the snort-pgsql 2.0.0 and postgresql 7.3.2
packages currently in the "testing" branch. Anyone ever seen anything
like this?
Thanks in advance,
Matthew
