Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ACID 0.9.6b14 questions

From: roman () danyliw com
Date: Mon, 17 Sep 2001 10:19:17 US/Eastern
On Mon, 17 Sep 2001, Poppi, Sandro wrote:


I'm having some probs regarding acid 0.9.6b14 in conjunction with snort
1.8.1 on a RedHat 7.0 box with mysql 3.23.32:

1. Using any of the new Snapshot entries

      Last Source Ports: any , TCP , UDP
      Last Destination Ports: any , TCP , UDP

results in

      Database ERROR:You have an error in your SQL syntax near '' at line
1

All other functions I tested work (nearly) as expected (see 2.)

  
Update to the newly released v0.9.6b15.

(Download from the mirror:
http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html,
since I am having issues connecting to sourceforge)
  

2. The search form and querying only for an ip address does not work for
portscan alerts. If the given ip address is only logged for portscan alerts
it can't be queried, if there are other alarms for the ip address they will
be shown.

  
Your observation is correct.  Portscan alerts cannot be queried by a IP
criteria.  These type of alerts can only be identified through a criteria
of signature, time, classification, alert group, or sensor.  This
limitation is due to the current design of the portscan
pre-processor.  The database does not actually store any information about
the occurance of a portscan, other than the fact that it occured; data
such as the source IP address and the target ports are never stored.
Hence, the IP address cannot be used as a search criteria for these
alerts since they are never stored in the database.  ACID appears to display 
a source IP address for portscan alerts, but this is merely text mangling of the 
signature name (i.e. this is not information taken from the database).

Roman


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: