SNORT alert timestamp in GUI does not respect DST change


    After the DST-ending fall-back this morning, SNORT alerts shown in the GUI were still using the DST time rather than the proper fall-back time. The same alerts in the actual log were showing the correct time.

    A SNORT restart solved the issue but thought I would still mention it.




  • What do the timestamps for your system log messages look like during the same time interval? Did those timestamps auto-adjust to the DST change?

    The Snort package uses vanilla PHP system calls to convert the timestamps to strings for display on the ALERTS tab. The underlying binary is logging in Univseral Time, but the GUI converts to local time using standard PHP function calls. My first suspicion is the PHP functions themselves did not auto-update the running instance. Or stated another way, the PHP module that was running started running on DST and never got updated to the fact DST ended and regular time began. Restarting Snort will kill and restart the PHP processes associated with the Snort GUI as you swap pages in the GUI. Upon restarting, the PHP processes realized DST had ended.

  • In syslog, they look correct but on the GUI side, there is unfortunately no way to check this due to the display having an upper limit of 2000 entries...

Log in to reply