RE: [Sguil-devel] Timestamps of Sguil alerts
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
RE: [Sguil-devel] Timestamps of Sguil alerts
|
From: SRH-Lists <gi...@33...> - 2005-05-10 13:21:31
|
> Hi list,
>
> I'm a little confused over the timestamps generated for the alerts.
> Looking at the snippet below:
>
> Sensor Data Rcvd: BYEventRcvd sock3 0 1 458 test-sensor 477 477
> {1974-05-14 21:21:28} 1 483 0 {ICMP PING CyberKit 2.2 Windows}
> {2005-05-10 04:39:09}
>
> The second timestamp is correct, and is the one that gets
> inserted into
> the DB, but what of the first? Any clues and pointers is greatly
> appreciated.
>
> Cheers,
>
> Callan
>
That second timestamp is the ref_time from the event. It is supposed to
hold the timestamp of the event that it is connected to. For example,
if an event is a "Tagged Packet" event, the ref_time should hold the
timestamp of the original event that triggered the tagging. The
event_ref field (the second 477 in your example) will hold the event_id
of the original event. In stand alone events (like the one you
included), event_id (the first 477) will be the same as event_ref (since
it refers only to itself) and the ref_time _should_ be the same as the
actual timestamp of the packet.
All that said, ref_time is broken (at least in the version of snort you
are running). It is supposedly fixed in the lastest snort release. The
good news is, we are only saving that ref_time value for future
features.
The short version: That wonky timestamp is the ref_time, it is broken,
we don't really use it for now, ignore it.
-steve
|