Snort mailing list archives
RE: ACID Portscan Traffic (0%)
From: "Pacheco, Michael F." <MPacheco () elcom com>
Date: Wed, 11 Dec 2002 16:00:15 -0500
scan.log ? - that sounds like your using snort 1.9x - If you are that means you could be using the portscan2 preprocessor. ACID does not understand the portscan2 output yet - it only understands how to display portscan1 (portscan) preprocessor output. The php display code for ACID has to be rewritten (as of ACID 0.9.6b22) to accomodate the new portscan2 output format. In snort.conf - just change your portscan preprocessor line to the old "portscan" line from snort 1.8 branch - 1.9 is backwards compatable and will work and output to ACID in the format ACID needs to display ie: ie: # Portscan2 # Portscan2 #------------------------------------------- # Portscan 2, detect portscans in a new and exciting way. # # Available options: # scanners_max [num] # targets_max [num] # target_limit [num] # port_limit [num] # timeout [num] # log [logdir] #preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 10, port_limit 20, timeout 60 preprocessor portscan: $HOME_NET 4 3 portscan.log The other thing is to make sure you are outputting to alert - not log. Thats my two cents --- Mike P.S. - Anybody have an idea when ACID will be rewritten for Portscan2? -----Original Message----- From: Luo, Philip [mailto:Philip_Luo () adp com] Sent: Wednesday, December 11, 2002 3:23 PM To: Snort Users (E-mail) Subject: RE: [Snort-users] ACID Portscan Traffic (0%) I am having the same problem. I did check the acid_conf.php file, it looks ok, and my scan.log is getting bigger, which ACID can not show. -----Original Message----- From: Hicks, John [mailto:JHicks () JUSTICE GC CA] Sent: Wednesday, December 11, 2002 11:13 AM To: 'Gary Borgeson'; Snort Users (E-mail) Subject: RE: [Snort-users] ACID Portscan Traffic (0%)
From the config doc
(http://www.andrew.cmu.edu/~rdanyliw/snort/acid_config.html) [OPTIONAL for Snort portscan pre-processor support] $portscan_file : full path to a Snort portscan log file set this in acid.conf. hth, John Hicks hth, John Hicks -----Original Message----- From: Gary Borgeson [mailto:gborgeson () aecc com] Sent: Wednesday, December 11, 2002 10:22 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] ACID Portscan Traffic (0%) On the ACID main page we have Traffic Profile by Protocol including Portscan Traffic. This % has stayed at 0 since day one. Even when I launch my own scan it stays at 0%. There is plenty of stuff in portscan.log. How should I interpret this? Thanks, G ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID Portscan Traffic (0%) Gary Borgeson (Dec 11)
- <Possible follow-ups>
- RE: ACID Portscan Traffic (0%) Slighter, Tim (Dec 11)
- RE: ACID Portscan Traffic (0%) Hicks, John (Dec 11)
- RE: ACID Portscan Traffic (0%) Luo, Philip (Dec 11)
- RE: ACID Portscan Traffic (0%) Robby Desmond (Dec 17)
- RE: ACID Portscan Traffic (0%) Pacheco, Michael F. (Dec 11)
- RE: ACID Portscan Traffic (0%) Chris Eidem (Dec 11)
- RE: ACID Portscan Traffic (0%) Slighter, Tim (Dec 12)
- RE: ACID Portscan Traffic (0%) Morgan, Joel (Macon State College) (Dec 17)
- RES: ACID Portscan Traffic (0%) Coelho (Dec 17)