Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Timestamp in BASE Alerts off by one hour

BASE-user
Pete89
2008-02-08
2013-06-03
  • Pete89
    Pete89
    2008-02-08

    Hello,

    This must have any easy fix but I am a little confused. I am using Snort 2.8 with BASE 1.3.9 and Barnyard 0.2 on Debian Etch 4.0r2. I am still just testing at this point.

    Here is the story:The primary web page in BASE (base_main.php) gives me the Time on the upper righthand side of the page correctly: "Queried on:Fri February 08, 2008 12:38:19"
    Debian reports back the same time when I issue the date command. However, when I force an alert to trigger I can see that the "timestamp" field is exactly one hour earliar (11:38) than the actual time of the event.

    Still with me? So where does the timestamp field get the time from?

    Thanks,

    Pete
    Granada

     
    • Hello Pete,

      BASE is a database viewer. The database gets the timestamps from snort, possibly modified by any helper program that carries the data from snort to the database.

      barnyard is such a helper program. Its authors think, storing the timestamps in UTC is good for the user. UTC is presumably the wrong timezone for you.

      Fortunately this can be changed in barnyard.conf:

               config localtime

      A second possibility for undesired UTC timestamps would be running snort with the 
      option -U. Check this with 

               ps -ef | grep -i snort

      Bye, bye

      Juergen

       
    • Pete89
      Pete89
      2008-02-11

      Juergen,

      You were right. It was the barnyard.conf file which needed to be changed. I umcommented the line:

      config localtime

      and all was well with the timestamps.

      Thanks for your help,

      Pete