[sniffer] Rulebase, bogus UTC Timestamps?

2008-10-08 Thread Andy Schmidt 
Hi Pete,

 

I'm running a Sniffer service on a secondary system so that I can test my
rulebase update script. After I changed to "curl" (to maintain the server
timestamps), I'm now seeing the following in the status.minute.log:

 

   

   

  

 

The "update ready" note matches the timestamp of 2:36 PM of actual rulebase
SNF file. Which is correct, because when it downloaded from your server at
11:35 AM EDT, your server presented this HTTP header:

 

Date: Wed, 08 Oct 2008 15:33:44 GMT

Server: Apache/2.0.46 (Red Hat)

Last-Modified: Wed, 08 Oct 2008 14:36:10 GMT

ETag: "3ec4df2-cb96c0-458bed6588a80"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Transfer-Encoding: chunked

Content-Type: application/x-sortmonster

 

But, how is the rulebase and active UTC determined? Where is this "18:36:10"
coming from. It seems to me as if somehow Sniffer adjusted the (already) GMT
time of 14:36 by yet ANOTHER 4 hours, giving it a fantasy timestamp of
18:36.

 

The net effect appears to be that my test machine doesn't get an
"UpdateReady.txt" until 4 hours have passed. My improved getRulebase.cmd
works perfectly, but it will only get launched every four hours, at best.

 

Best Regards,

Andy

[sniffer] Re: Updated getRuleBase.cmd

2008-10-08 Thread Pete McNeil 




Hello Andy,

Wednesday, October 8, 2008, 12:52:59 PM, you wrote:




>


Hi,
 
After resolving the issues with UTC vs. local time (apparently the Sniffer service doesn’t actually use a version identifier inside the SNF file, but relies on the Windows file date to determine what rulebase version is in place), here the updated getRuleBase.cmd.










>


 
1. Get the latest CURL.EXE for Win 2000 or higher from http://curl.haxx.se/latest.cgi?curl=win32-nossl-sspi (don’t use older builds to avoid timezone issues).





Does this resolve the timestamp issues you indicated in your previous message?

SNF gets the timestamp from the file system the using gmtime() of the modification timestamp on the file. The same call is made in the SYNC server software when the rulebase timestamp is provided to the SNF node for comparison.

gmtime() provides the UTC time (used to be known as GMT) for any timestamp.

_M


-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Updated getRuleBase.cmd

2008-10-08 Thread Andy Schmidt 
Hi,

Yes, recent Windows curl builds will convert between UTC and local time.

I was just caught off-guard, that Sniffer is using an "external" datum which
is subject for wanted or unwanted manipulation for something as crucial as
determining the "file version" of the rule base? If (due to copying files
between servers) a sniffer file has a "bogus" file date, Sniffer would
actually rely on that and be thrown out of whack?

I would have expected that the SNF file was "self-contained" (e.g.,
contained an internal version id or timestamp) so that it was not subject to
outside interference.

Best Regards,
Andy

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Pete McNeil
Sent: Wednesday, October 08, 2008 1:30 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Updated getRuleBase.cmd

 

Hello Andy,

 

Wednesday, October 8, 2008, 12:52:59 PM, you wrote:

 


> 

Hi,

 

After resolving the issues with UTC vs. local time (apparently the Sniffer
service doesn't actually use a version identifier inside the SNF file, but
relies on the Windows file date to determine what rulebase version is in
place), here the updated getRuleBase.cmd.

 



 


> 

 

1. Get the latest CURL.EXE for Win 2000 or higher from

http://curl.haxx.se/latest.cgi?curl=win32-nossl-sspi (don't use older builds
to avoid timezone issues).

 

Does this resolve the timestamp issues you indicated in your previous
message?

 

SNF gets the timestamp from the file system the using gmtime() of the
modification timestamp on the file. The same call is made in the SYNC server
software when the rulebase timestamp is provided to the SNF node for
comparison.

 

gmtime() provides the UTC time (used to be known as GMT) for any timestamp.

 

_M

 

 

-- 

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.