To confirm that the issue is only on amd64 (not that we needed any confirmation, I guess), I've downloaded and installed both i386 and amd64 versions of 4.1, and snort 2.6.0.2 packages accordingly.
There is no problem on i386, but on amd64 snort has the same problem as described in my previous post. I would appreciate any hints as to where to look for the source of such a problem (in the source code). On Fri, 2007-04-06 at 14:30 +0300, Soner Tari wrote: > (Since I was told that ports@ is the place to post my problem, I am > re-posting here. Btw, I am ready to test any patches/suggestions to > snort on amd64. Also, I've manually checked if the differences in the > following diff file were applied to the 2.6.1.4 source from snort.org, > as far as I can see .h and .c diffs were: > http://secure.lv/~nikns/stuff/ports/snort-2.6.1.2.diff ) > > I'm running snort on OpenBSD 4.0 amd64. I've tried 2.4.5 among the > packages, and built 2.6.1.4 from the source (are there any special > configure options I should use?). Also I've tried many combinations of > rules: registered user, community and bleeding-edge rules. The same > result. > > For example, when I run nmap for the TargetIP, "TCP Portscan" alert logs > report the datetime as follows (shown only the timestamp lines): > > 04/05-15:55:09.000174 SrcIP -> TargetIP > 04/05-20:14:48.000174 SrcIP -> TargetIP > 04/06-06:11:01.000174 SrcIP -> TargetIP > 04/05-19:09:59.000169 SrcIP -> TargetIP > 04/06-00:22:37.000174 SrcIP -> TargetIP > > The datetime was around 11:48 AM on Apr 06, +/-2mins for each nmap run > (order of runs is as shown). > > Granted the date is within 24 hours, but apparently the hour is, well, > random. > > If I use tcpdump style logs, I see that the datetimes reported there are > correct. > > Also, I've used BASE, it reports Timestamp as all 0's. But I deem that > this may be due to something else, probably the database time format, I > don't know. (To be exact, I've used and built both plain and mysql > versions of snort, with the same result.) > > Could somebody tell me what I may be doing wrong? Any links I wasn't > able to find? > > Thanks, > > >
