Ticket #43 (new defect)

Opened 11 years ago

Last modified 9 years ago

Time problem in Walleye

Reported by: bjou Owned by: [email protected]
Priority: minor Milestone: roo-1.4
Component: Walleye Version: 1.4b3
Keywords: time walleye timezone Cc:

Description

as can be seen on the screenshot/attachment ( http://bjou.de/walleye.jpg), the overview on the left-hand side shows 2 connections within the hour of 11 o'clock, while they actually have been at 13:49h (right-hand side). The 13.49 is the correct date and time, but every connection in the left menu is 2 hours behind. How can I fix this? Linux time and Walleye timezone in demographics section is set correctly... Version: roo-1.4.hw-20080424215740.iso

Attachments

walleye.jpg Download (22.3 KB) - added by bjou 11 years ago.

Change History

Changed 11 years ago by bjou

Changed 10 years ago by amboss

I have the same problem. I wonder if there is an improvement about this problem?

Changed 9 years ago by kwortman

So was this ever resolved? I have similiar issues. Set Walleye "Honeywall Demographics" to Eastern Time and followed the instructions outlines in "Clock.txt" located at  http://yum.honeynet.org/roo/manual/txt/ and today at 0900 in the morning I have flows and IDS hits at 1300 in the afternooon. This is causing me an issue as Im trying to do a proof of concept for my customer using this technology.

Kevin Wortman

Changed 9 years ago by breusshe

I found out the issue. The Perl code is using gmtime() instead of localtime() in its .pl files (such as walleye.pl). Gmtime() converts time from epoch time to a time array that uses GMT as the timezone. Localtime() does the same thing, except it uses the system's configured timezone (details on how to change that are laid out in the Clock.txt that kwortman references above). If you do the following it will fix most everything:

Edit two files:  /var/www/html/walleye/walleye.pl
                 /var/www/html/walleye/sum_graph.pl

1.) type:

vi +%s/gmtime/localtime/g /var/www/html/walleye/walleye.pl

*** If you see a warning about editing a read-only file, just hit enter, it's fine.

2.) Once vi opens up, type:

:wq!

***(this saves the file and exits vi)

3.) Do steps 1 and 2 for sum_graph.pl

There is one problem. This does not fix the hourly summary table on the left side of the screen that bjou originally posted about. I'm still trying to figure that part out. I'll post again when I find the fix.

Changed 9 years ago by breusshe

Replying to bjou:

Ok, I figured out the time thing completely. All time references in my Honeywall and Walleye are now accurate. Here is what I did:

First off, you'll be editing the following files:

/var/www/html/walleye:
    walleye.pl
    sum_graph.pl

/usr/lib/per5/site_perl/5.8.8/Walleye:
    Admin.pm
    Aggregate_flow.pm
    Connection_table.pm
    Host.pm
    Process.pm
    Process_tree.pm

To do the edit, you need to run a series of vi commands:

1.) cd to the /var/www/html/walleye directory.

2.) Type the following command:

vi +%s/gmtime/localtime/g +%s/timegm/timelocal/g walleye.pl

***NOTE: This will start vi and run the two search and replace items (the text after each of the plus ('+') signs) as walleye.pl loads. You must wait for two messages to appear. Each message relates to the two search and replaces being done. The first message will have in it:

Pattern not found:

The other will have:

x substitutions on y lines

where 'x' and 'y' are numbers. You might see only one of these messages twice, or each of these messages once. It depends on whether or not the string being replaced exists in the file.

3.) Once the search and replace is completed, you'll see:

Press ENTER or type command to continue

Just press Enter and vi will finish opening the file.

***NOTE: Ignore any messages about changing a read-only file. The next step tells you how to save a read-only file in vi.

4.) Type:

:wq!

***NOTE: This will save and exit vi

5.) Repeat Step 2 replacing walleye.pl with sum_graph.pl.

6.) cd to /usr/lib/per5/site_perl/5.8.8/Walleye and repeat Steps 2 - 5 using the filenames for this folder listed at the start of this post.

7.) Refresh or startup Walleye in your browser. You'll notice that all the times now use the timezone configured for your server.

***NOTE: If the time is still wrong, check the time in Walleye (found in the upper-right corner, in the header, once you log in). Make sure the timezone listed there is correct. If not, you need to adjust your timezone per the link in kwortman's earlier post (found in Clock.txt).

That should straighten ya'll out. Just keep in mind one thing: I think the developers intended this behavior. I think the reason the code is set to GMT like this is so that organizations using multiple Honeypots in different geographical areas would have statistics that matched up to each other. So, if you have a site in London and another in Bangkok, you might not want to make these changes since it might make it harder to determine when troublesome network traffic was bothering the two separate sites (due to the different timezones).

Perhaps a developer could weigh in on this to confirm or deny my suspicions????

Changed 9 years ago by breusshe

Just figured out something. If you want to completely skip Steps 3 and 4, amend the vi statement as follows:

vi +%s/gmtime/localtime/g +%s/timegm/timelocal/g +wq! <filename>

This will not only do the search and replace but, once it is done, will save and close the file automatically. Just simply type the command, press Enter and wait for the prompt to return. Wash, rinse, repeat.

Note: See TracTickets for help on using tickets.