Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.
This must have any easy fix but I am a little confused. I am using Snort 2.8 with BASE 1.3.9 and Barnyard 0.2 on Debian Etch 4.0r2. I am still just testing at this point.
Here is the story:The primary web page in BASE (base_main.php) gives me the Time on the upper righthand side of the page correctly: "Queried on:Fri February 08, 2008 12:38:19"
Debian reports back the same time when I issue the date command. However, when I force an alert to trigger I can see that the "timestamp" field is exactly one hour earliar (11:38) than the actual time of the event.
Still with me? So where does the timestamp field get the time from?
BASE is a database viewer. The database gets the timestamps from snort, possibly modified by any helper program that carries the data from snort to the database.
barnyard is such a helper program. Its authors think, storing the timestamps in UTC is good for the user. UTC is presumably the wrong timezone for you.
Fortunately this can be changed in barnyard.conf:
A second possibility for undesired UTC timestamps would be running snort with the
option -U. Check this with
ps -ef | grep -i snort
You were right. It was the barnyard.conf file which needed to be changed. I umcommented the line:
and all was well with the timestamps.
Thanks for your help,