Timestamp in BASE Alerts off by one hour

    This must have any easy fix but I am a little confused. I am using Snort 2.8 with BASE 1.3.9 and Barnyard 0.2 on Debian Etch 4.0r2. I am still just testing at this point.

    Here is the story:The primary web page in BASE (base_main.php) gives me the Time on the upper righthand side of the page correctly: "Queried on:Fri February 08, 2008 12:38:19"
    Debian reports back the same time when I issue the date command. However, when I force an alert to trigger I can see that the "timestamp" field is exactly one hour earliar (11:38) than the actual time of the event.

    Still with me? So where does the timestamp field get the time from?



      Hello Pete,

      BASE is a database viewer. The database gets the timestamps from snort, possibly modified by any helper program that carries the data from snort to the database.

      barnyard is such a helper program. Its authors think, storing the timestamps in UTC is good for the user. UTC is presumably the wrong timezone for you.

      Fortunately this can be changed in barnyard.conf:

               config localtime

      A second possibility for undesired UTC timestamps would be running snort with the 
      option -U. Check this with 

               ps -ef | grep -i snort

      Bye, bye


      You were right. It was the barnyard.conf file which needed to be changed. I umcommented the line:

      config localtime

      and all was well with the timestamps.

      Thanks for your help,



