I'm running snort on OpenBSD 4.0 amd64. I've tried 2.4.5 among the packages, and built 2.6.1.4 from the source (are there any special configure options I should use?). Also I've tried many combinations of rules: registered user, community and bleeding-edge rules. The same result.
For example, when I run nmap for the TargetIP, "TCP Portscan" alert logs report the datetime as follows (shown only the timestamp lines): 04/05-15:55:09.000174 SrcIP -> TargetIP 04/05-20:14:48.000174 SrcIP -> TargetIP 04/06-06:11:01.000174 SrcIP -> TargetIP 04/05-19:09:59.000169 SrcIP -> TargetIP 04/06-00:22:37.000174 SrcIP -> TargetIP The datetime was around 11:48 AM on Apr 06, +/-2mins for each nmap run (order of runs is as shown). Granted the date is within 24 hours, but apparently the hour is, well, random. If I use tcpdump style logs, I see that the datetimes reported there are correct. Also, I've used BASE, it reports Timestamp as all 0's. But I deem that this may be due to something else, probably the database time format, I don't know. (To be exact, I've used and built both plain and mysql versions of snort, with the same result.) Could somebody tell me what I may be doing wrong? Any links I wasn't able to find? Thanks,
