<html><head><style>p{margin-top:0px;margin-bottom:0px;}</style></head><body><div style="font-size:10pt; font-family:Gulim,sans-serif;"><p>Hello all,</p><p> </p><p>please help me the following email. </p><p style="padding: 0px 0px 0px 10pt; font-family: sans-serif; font-size: 10pt;"><span>-----Original Message-----</span><br><b>From:</b> "박경호"<pgh5247@naver.com> <br><b>To:</b> <oisf-users@lists.openinfosecfoundation.org>; <br><b>Cc:</b> <br><b>Sent:</b> 2017-07-05 (수) 17:38:05<br><b>Subject:</b> alert timestamp<br> </p><!-- --><div style="font-family: Gulim,sans-serif; font-size: 10pt;"><p>Hello all,</p><p> </p><p>Until now,</p><p>i know to the timestamp in alert log(fast.log or eve.json) is same to the packet timestamp.</p><p>But both timestamps are different.</p><p>To be precise, both timestamps are same in some alert message and are different in some alert message.</p><p>in my test, they were same in alert message "ET POLICY Dropbox Client Broadcasting..." </p><p> they were different in "ET POLICY PE EXE or DLL Windows file download HTTP..."</p><p> </p><p>Doesn't it mean the timestamp in the packet for the timestamp in alert log file ?</p><p> </p><p>If you want to pcap file to test, you can download the pcap file.(<a href="https://drive.google.com/open?id=0B4Mdb8bpuRlnU0pkZ002WWVFdFk" target="_blank">https://drive.google.com/open?id=0B4Mdb8bpuRlnU0pkZ002WWVFdFk</a><strong>)</strong></p><p> </p><p>please explain to me..</p><p> </p><p>thanks in advance.</p><p> </p></div>
</div></body></html><table style='display:none'><tr><td><img src="https://mail.naver.com/readReceipt/notify/?img=1ebdKokcpXgrMo2qhAnXpxvZFzkvM4i4Ko3SMrE9axMlpovZpopCKrErtzFXp6UZaVl5WLl51zlqDBFdp6d5MreRhoRT1BF47BkqpBiqtzwGbX3q74emp6lGW4pTbrkop4e9W43C%2Bz0TWSlTb4b%3D.gif" border="0"/></td></tr></table>