[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: strftime() on Solaris 8

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: strftime() on Solaris 8
From: Leslie S Arvin <arvin@xxxxxxxxxx>
Date: Wed, 07 Jun 2006 15:44:52 -0400
Cc: ossec-list@xxxxxxxxx

Thanks all for replying.  Changing the source to use %Z in maild.c:strftime()
is quieting SpamAssassin.

I am also seeing strangeness with the dates in the alert logs
and in the Date: line of emails.  The time value returned is not
adjusting for timezone/daylight savings time -- it is printing GMT.

Specifically, an alert at 15:11:35 US/East-Indiana -0400 creates
this in its entry in the alert logs:

** Alert 1149707495.15121: mail
2006 Jun 07 19:11:35 /var/adm/messages

and creates this email header excerpt in its notification:

From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 07 Jun 2006 19:11:45 US/East

Separate tests with localtime() confirm that it returns the correct
timezone-adjusted time; however, my test C program prints "EDT" for
the %Z value to strftime(), not "US/East" as in the email headers,
so I'm wondering if I'm testing the right version of localtime().

This is ossec-hids 0.8 on Solaris 8 sparc.

-- Leslie Arvin
    arvin@xxxxxxxxxx, Office: FREH G409, Phone: 765-496-3971
    Network Systems Administrator, ITI-Unix Platforms
    Purdue University, Information Technology at Purdue


Daniel Cid wrote:
>>>From what I'm seeing (after checking some standards) we should
> have used the uppercase Z instead of the lowercase one. It will
> fail on most non-linux and non-bsd systems...
> 
> Thanks for reporting it!
> 
> --
> Daniel B. Cid
> dcid @ ( at ) ossec.net
> 
> 
> On 6/7/06, oahmet <oahmet@xxxxxxxxxxx> wrote:
>> Hi Leslie,
>>
>> Thanks for reporting this issue. I'll work on it.
>> However in order to make ossec-hids work on your environment, you may
>> want to edit "src/os_maild/sendmail.c" file and change line 212:
>>
>> strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %z\r\n",p);
>> to
>> strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %Z\r\n",p);
>> (I mean change %z -> %Z). and install ossec-hids.
>>
>> Then it will print "timezone name" instead of  "hour offset from GMT".
>>
>> Best Regards,
>>
>> Ahmet Ozturk.
>>
>> Leslie S Arvin wrote:
>>> I'm getting sendmail errors because the default strftime() on Solaris 8
>>> does not support %z.  The Date: in the formatted email is displaying as:
>>>
>>> Date: Wed, 07 Jun 2006 15:14:31 %z
>>>
>>> and getting flagged by SpamAssassin.
>>>
>>> Since ossec has been tested on Solaris 2.8 (Sparc) systems, how does one
>>> get around this?
>>>
>>> -- Leslie Arvin
>>>     arvin@xxxxxxxxxx, Office: FREH G409, Phone: 765-496-3971
>>>     Network Systems Administrator, ITI-Unix Platforms
>>>     Purdue University, Information Technology at Purdue
>>>
>>>
> 
> 

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Follow-Ups:
- [ossec-list] Re: strftime() on Solaris 8
  - From: Daniel Cid

References:
- [ossec-list] strftime() on Solaris 8
  - From: Leslie S Arvin
- [ossec-list] Re: strftime() on Solaris 8
  - From: oahmet
- [ossec-list] Re: strftime() on Solaris 8
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: strftime() on Solaris 8
Next by Date: [ossec-list] I don't seem to be getting emails about changed binaries
Previous by thread: [ossec-list] Re: strftime() on Solaris 8
Next by thread: [ossec-list] Re: strftime() on Solaris 8
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.