Re: ACID default sort order

["Vadim Pushkin" <wiskbroom () hotmail com>]

oldest first, click on the ">" next to timestamp
to reorder by most recent first.

Vadim


> From: John Sage <jsage () finchhaven com>
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] ACID default sort order
> Date: Tue, 7 May 2002 11:55:16 -0700
>
> I tried asking this a week ago and got no response, so, being a
> glutton for punishment I'll ask again:
>
> What is the default sort order for ACID when displaying the very
> fundamental query: "Last 24 hours" "alerts" "listing"?
>
> In other words, show me all alerts for the last 24 hours.
>
> The sort order returned is not obvious, or rather there doesn't seem
> to be any:
>
>
> To: blahblahblah () foobar com
> Subject: ACID Incident Report
> From: ACID Alert <acid () foobar com>
>
> Generated by ACID v0.9.6b21 on Tue May 07, 2002 10:47:09
>
> #109-2| [2002-05-07 09:28:28] 12.243.218.140 -> 12.82.128.54  ICMP echo 
> request
>
> This (above) is out of order by time and by sensor-id
>
> #109-8| [2002-05-07 10:19:41] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 
> 137 netBIOS ns
> #109-7| [2002-05-07 10:19:41] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 
> 137 netBIOS ns
> #109-6| [2002-05-07 10:19:39] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 
> 137 netBIOS ns
> #109-5| [2002-05-07 10:19:10] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 
> 137 netBIOS ns
> #109-4| [2002-05-07 10:19:07] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 
> 137 netBIOS ns
> #109-3| [2002-05-07 10:19:04] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 
> 137 netBIOS ns
> #109-1| [2002-05-07 09:11:33] 12.82.128.120:1065 -> 12.82.128.54:137  UDP 
> to 137 netBIOS ns
>
> #108-14| [2002-05-07 07:26:15] 199.84.183.4:137 -> 12.82.129.79:137  UDP to 
> 137 netBIOS ns
> #108-13| [2002-05-07 07:26:14] 199.84.183.4:137 -> 12.82.129.79:137  UDP to 
> 137 netBIOS ns
> #108-12| [2002-05-07 07:26:12] 199.84.183.4:137 -> 12.82.129.79:137  UDP to 
> 137 netBIOS ns
>
> The above alerts are out-of-order relative to those above..
>
> #108-7| [2002-05-07 04:19:09] 12.82.129.235:1028 -> 12.82.129.79:137  UDP 
> to 137 netBIOS ns
> #108-6| [2002-05-07 04:07:07] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 
> 137 netBIOS ns
> #108-5| [2002-05-07 04:07:06] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 
> 137 netBIOS ns
> #108-4| [2002-05-07 04:07:04] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 
> 137 netBIOS ns
> #108-3| [2002-05-07 04:06:43] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 
> 137 netBIOS ns
> #108-2| [2002-05-07 04:06:42] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 
> 137 netBIOS ns
> #108-1| [2002-05-07 04:06:40] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 
> 137 netBIOS ns
>
> #108-11| [2002-05-07 05:26:55] 65.117.191.10:55742 -> 12.82.129.79:111  TCP 
> to 111 sunrpc
> #108-10| [2002-05-07 05:26:52] 65.117.191.10:55742 -> 12.82.129.79:111  TCP 
> to 111 sunrpc
>
> The above alerts are out-of-order..
>
> #108-9| [2002-05-07 04:55:18] 148.235.14.185:32263 -> 12.82.129.79:80  TCP 
> to 80 http
> #108-8| [2002-05-07 04:55:12] 148.235.14.185:32263 -> 12.82.129.79:80  TCP 
> to 80 http
>
> The above alerts are out-of-order..
>
> #107-3| [2002-05-06 22:07:37] 217.136.191.9 -> 12.82.131.37  ICMP echo 
> request
>
> #107-4| [2002-05-06 22:51:34] 131.183.60.105:4659 -> 12.82.131.37:1433  TCP 
> to 1433 MS MySQL server
>
> blah blah blah...
>
> #107-2| [2002-05-06 16:44:24] 12.245.236.184:4630 -> 12.82.131.37:80  TCP 
> to 80 http
> #107-1| [2002-05-06 16:44:21] 12.245.236.184:4630 -> 12.82.131.37:80  TCP 
> to 80 http
>
> #106-1| [2002-05-06 11:29:25] 12.82.131.207:1238 -> 12.82.131.64:137  UDP 
> to 137 netBIOS ns
> #106-2| [2002-05-06 12:42:44] 166.114.114.2:3937 -> 12.82.131.64:53  TCP to 
> 53 domain
>
> and blah blah blah..
>
>
>
> Is the sensor-id pair not a primary key, or in fact any key whatsoever?
>
> Is the date-time not a primary key, or in fact any key whatsoever?
>
> Again, at the risk of repetition, what should be the primary sort
> order for this very fundamental query?
>
>
> - John
> --
> In those days, you could not buy a $2000 200MHz Pentium server.
>
> PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
>
> _______________________________________________________________
>
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users