barnyard2
barnyard2 copied to clipboard
firnsy
Timestamp frozen events snorby
Hi, guys
I have been getting an issue with timestamp on barnyard events, events are being logged correctly in mysql database snorby only the time of the event is not updated.
Barnyard2 Version 2.1.14 (Build 336)
-> Snort! <- o" )~ Version 2.9.2.2 IPv6 GRE (Build 121)
MYSQL
use snorby;
select timestamp from event;
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
| 2015-05-25 13:35:59 |
I figured out event and packet second are not changing correctly through u2spewfoo.
Packet sensor id: 0 event id: 1 event second: 1432741433 packet second: 1432741433 packet microsecond: 503554 linktype: 1 packet_length: 106
....
Packet sensor id: 0 event id: 61 event second: 1432741434 packet second: 1432741434 packet microsecond: 2321 linktype: 1 packet_length: 98 ....
Packet sensor id: 0 event id: 215 event second: 1432741435 packet second: 1432741435 packet microsecond: 8982 linktype: 1 packet_length: 98 ....
I think this is a barnyard issue but I am not pretty sure. Any ideas?
My based system is:
Linux test 3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux
Regards!
Without more information it is hard to diagnosis anything. Mabey you have one event with multiple packets in a previous unified2 file..
The best way to test it would be to rerun by2 against the problematic u2 file using syslog output or alert fast. And show the output or send the u2file.
On Tue, Jun 2, 2015 at 10:12 AM, Fl0r1d [email protected] wrote:
Hi, guys
I have been getting an issue with timestamp on barnyard events, events are being logged correctly in mysql database snorby only the time of the event is not updated.
Barnyard2 Version 2.1.14 (Build 336)
-> Snort! <- o" )~ Version 2.9.2.2 IPv6 GRE (Build 121)
MYSQL
use snorby; select timestamp from event; | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 | | 2015-05-25 13:35:59 |
I figured out event and packet second are not changing correctly through u2spewfoo.
Packet sensor id: 0 event id: 1 event second: 1432741433 packet second: 1432741433 packet microsecond: 503554 linktype: 1 packet_length: 106
....
Packet sensor id: 0 event id: 61 event second: 1432741434 packet second: 1432741434 packet microsecond: 2321 linktype: 1 packet_length: 98 ....
Packet sensor id: 0 event id: 215 event second: 1432741435 packet second: 1432741435 packet microsecond: 8982 linktype: 1 packet_length: 98 ....
I think this is a barnyard issue but I am not pretty sure. Any ideas?
My based system is:
Linux test 3.7-trunk-686-pae #1 https://github.com/firnsy/barnyard2/pull/1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux
Regards!
— Reply to this email directly or view it on GitHub https://github.com/firnsy/barnyard2/issues/148.
