#21 Add support for FR and other default system locale than EN

[Anonymous]

Hello there,

I am testing snare for Vista 1.1.7.1 and I see problems when the default system locale is FR. For an unknown reason, whenever this is set this way instead of english, the function XX returns the date on the format requested but adding a "." (dot) on it. The outcome of this is a syslog message with a invalid date, and therefore unusable logs.(looks like the dot shifts the date digits to the right, for example 2011 becomes 201). Any possibility of fixing this in the next release? Would it be good to make more space on the array which holds the date messing around too much maybe? (I guess it is 26 now, then to 27?).
Also just FYI, I am wokring in a lab environment, using Windows Server 2008 R2 as a source and I have not experienced crashes, though, however it is not a load system at all (just a W2K8 Server and a XP workstation since this is lab).

Thanks David.

Regards,

Heber

[Anonymous]

The line of code that I think is giving the problem is the following:

GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd MMM dd ",subtime,_countof(subtime));
strncpy_s(SubmitTime,_countof(SubmitTime),subtime,_TRUNCATE);

Not quite sure though,

Cheers,

[David Mohr]

Hi Heber,

I'll definitely jump in an have a look at this when I can, thanks for letting us know.

Regards, David.

[David Mohr]

Hi Heber,

I've had a look over the date function we use for the syslog header and there are no locale settings, so I'd say you are right about where the problem lies. Do you have an example of a log with a misconfigured date? This will help me track down which functions I need to alter.

Thanks, David.

[wwoch]

Hi David,

Seem to have a similar issue with Snare v4.0.1.2 on French systems, looks like a similar issue might exist on other locales that use longer timestamps. Here's a syslog packet sample as seen on the network once it comes out of Snare:

<39>Apr 13 13:54:12 hostname1 MSWinEventLog 0 Security 814 ven. avr. 13 13:54:11 201 4696 Microsoft-Windows-Security-Auditing DOMAIN\HOSTNAME1$ N/A Success Audit hostname1.domain.local Création du processus Un jeton principal a été attribué à un processus. Sujet : ID de sécurité : S-1-5-18 Nom du compte : HOSTNAME1$ Domaine du compte : DOMAIN ID d’ouverture de session : 0x3e7 Informations sur le processus : ID du processus : 0x318 Nom du processus : C:\Windows\System32\svchost.exe Processus cible : ID du processus cible : 0x1450 Nom du processus cible : C:\Windows\System32\dllhost.exe Informations sur le nouveau processus : ID de sécurité : S-1-5-18 Nom du compte : HOSTNAME1$ Domaine du compte : DOMAIN ID d’ouverture de session : 0x3e7 765

Issue seems to be with the 2nd timestamp, showing as "ven. avr. 13 13:54:11 201". An English system shows "Fri Apr 13 13:54:11 2012" instead in this 2nd field. Don't really have access to visual studio, some quick findings/ideas from looking at 03/SnareCore.cpp from 4.0.1.2:

1) 1st (syslog) timestamp seems to always be ok because we're using an english-style syslogdate()
2) Line 200: SubmitTime seems fixed to 26 chars, appears to explain why a longer time field is truncated (french year 201 instead of 2012)
3) Line 1259 ("good" event path?): strftime() appears to default to system's locale. Could one possible workaround be to use _strftime_l() along with a preconfigured locale (english) as per http://msdn.microsoft.com/en-us/library/fe06s4ak%28v=vs.80%29.aspx ?
4) What about using setlocale() at startup, and allow a user to force a locale via config file?

Thanks!

[Edd Porter]

Was any progress ever made with this? I'm having a similar issue and need a fix. Thanks.

[David Mohr]

I have found a way to work around locale problem and it will be available in the next release of the agent.

[Hiw0k]

Hi David,

Have you some news about this new feature? I'm really interest on it.

Thanks for your help !

Thomas.

[Hiw0k]

Hello David,

Have you some news for the new Snare for Windows version ?

Thanks for your help !

Thomas.