Leap Second information EOY2016


SUMMARY

  • Dec 05, 2016

Snare Agents

Regarding the leap second change, this is mostly an operating system level issue or can have impact on real time application that make decisions on the basis of time. Fortunately, Snare is not like that.

For Snare, Leap Second is just the occurrence of a second twice. On very busy machines, where Snare already grabs multiple events per second; as an example the only impact can be seen that if say Snare is grabbing 10 events per second then just during the leap second it will be seen as 20 events per second (which is theoretically 2 seconds) shown in the log (assuming machine remains same busy level). On extremely busy machines, where the admins are very conscious about how many events are being generated per second and any spike in that is considered as an anomaly then they can be aware of that during the leap second, they will see roughly double number of events per second as this is what they will see in their SIEM.

Snare Server

The leap second will have minimal implications for the Snare Server directly.

The Snare Server collection subsystem uses the time presented in each eventlog message, as an authoritative time value for each event. As such, as long as the underlying operating system from which each event originates handles the leap second appropriately, Snare will accurately record and represent the event times.

If an event arrives at the Snare Server with no date/time information available, or with corrupted date/time information, the collection subsystem will fall back on tagging the event with the server localtime. Snare uses a daily time-synchronisation (if enabled in the Snare Server wizard), to guard against clock drift. At the time this daily run occurs, which is generally around midnight localtime, the leap second will be smoothed out based on the time reported by the ntp server configured as a time source within the wizard. For a vast majority of Snare Server users however, the only logs that use server localtime will be the 'Snare Server Log', which is generated directly by the reporting web interface. It is anticipated that between the hours of 00:00:00 UTC on Jan 1 2017, and midnight localtime Dec 31, 2016, the Snare Server time will be 1 second out of synchronsation with the updated leap-second time. As previously noted however, this will not generally impact the recorded time for events.
Local live events-per-second figures will therefore remain accurate across the leap-second boundary on the Snare Server, but will stutter at around midnight localtime, when the server time is synchronised with the network time protocol master defined in the Snare Server configuration wizard, and return to normal one second later.

When analysing event data using the Snare Server reporting interface, it is anticipated that approximately double the normal events-per-second totals will be observed for the one second of local time that represents 00:00:00 UTC 1 Jan 2016.