On Fri, 2009-04-24 at 23:32 +0200, Matus UHLAR - fantomas wrote: > On 24.04.09 18:44, Rik wrote: > > Date: Fri, 24 Apr 2009 18:44:07 +0100 > > > > I was stumped on a question today about DATE_IN_FUTURE. My googling > > offered me nothing more than the obvious 'The message has a date in the > > future. > > > > Thing is, I could not see it. The time stamp was 24 Apr 2009 14:20:32 > > +0800 and matched the firewall connection log OK. Can anyone point me to > > a sensible explanation of what this rule looks at so I can troubleshoot > > it? > > If you got the mentioned mail BEFORE you sent this one, it was in the > future: > > the time you sent the mail was 24 Apr 2009 19:44:07 GMT > the time reported was 25 Apr 2009 00:20:32 GMT. > > Apparently the sender does not have correct timezone set (quite common > problem). > Sadly I have discarded the mail, but the server time stamp and header stamp were within seconds of each other, so I don't think it's a time zone issue as such.
The only reason I dropped in and asked here stems from seeing the same rule hit at 3.5 twice in the last two days for no obvious reasons. All I really want to know is what the rule is looking at to compare X with Y. Is it looking at the box SA is running on and comparing the time with the 'date' field in the header (where it exists) or something else? >From the rule name I can get the gist of what the issue is, I just need to know what it is doing the comparison on for my own sanity.
