Snort mailing list archives
ACID portscan log parsing (0.9.6b21)
From: Robby <rdesmond () els ucsb edu>
Date: Tue, 06 Aug 2002 17:47:42 -0700
Dunno if this is improved already in another version of ACID, but since I'm no PHP whiz, I gotta ask:
why does the ereg function in the portscan.log parsing section of ACID (acid_stat_ipaddr.php -> PrintPortscanEvents($db,$ip) ) match not only xxx.xxx.xxx.10 but also xxx.xxx.xxx.10x (initial 3 dot triplets are the same, but final is similar, but is 100 or 101 etc.) when I ask for the porscan events on xxx.xxx.xxx.10/32?
It makes for excessively long tables when requesting portscan events. Am I asking the wrong people? -Robby Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID portscan log parsing (0.9.6b21) Robby (Aug 07)