Portscan shows 100% traffic in ACID's main window

[Ruiyuan Jiang <Ruiyuan_Jiang () liz com>]

Hi, all

I currently run snort 2.0.5, ACID, mysql and portscan log has been enabled
on Solaris 9 and they are installed on the same box. Through cron job, I do
backup mysql database on the night of Monday, Wednesday and Friday. I also
do portscan log rotate every night through stop and start snort.

If the box is fresh such as after reboot, I can see all in "Traffic Profile
by Protocol" such as TCP, UDP, ICMP and Portscan Traffic with their own
percentages of the total traffic that snort logged.

After several days or a week that Solaris stays up without rebooting while
the box goes through mysql database backup, portscan log rotate (otherwise
portscan log is so huge), I can only see portscan traffic (100%) at the
"Traffic Profile by Protocol" of the main page of ACID. The TCP, UDP and
ICMP traffic are all 0% like never happened. I did stop and start snort,
checked mysql database which has new records logged after the backup but no
help. The only way that I found to fix the problem is to reboot Solaris then
I can see TCP, UDP, ICMP and Traffic Profile by Protocol in the "Traffic
Profile by Protocol" of the main page of ACID. 

Does anyone know why? Thanks in advance.

Ryan Jiang