Snort mailing list archives
RE: Port scans not showing up in ACID.
From: "John Creegan" <jcreegan () questarweb com>
Date: Thu, 05 Feb 2004 12:33:11 -0600
Mine does, but not until the percentage of portscan traffic reaches at least 1 percent of total traffic (see the function PrintProtocolProfileGraphs in the acid_common.php page.) Also, I'm using the newer portscan2 preprocessor. It appears you're using the original portscan preprocessor.
"Michael Steele" <michaels () winsnort com> 02/05/04 11:53AM >>>
John, Thanks for offering to look at this. We have just updated to 2.1.0. In ACID if I view the entire list of alerts I can see the portscans. ----------\ spp\_portscan: portscan status from 69.56.144.70: 7 connections across 1 hosts: TCP(7), UDP(0) ----------/ Shouldn't this alert show up in the "Portscan Traffic (%)" group on the home page of ACID? I updated from 2.0.6 to 2.1.0 and added my 2.06 portscan line back into the snort.conf but Snort fails to show the portscans in the "Portscan Traffic (%)" group on the ACID homepage. preprocessor portscan: $HOME_NET 4 3 \IDS\Snort\log\portscan.log The log is being created and populated. I think this is the same situation as the rest are reporting. I realize that the developers left the "preprocessor portscan:" variable out of the snort.conf config file but left in the code that still deals with it. Is there a way to set the new preprocessor for portscans that will allow the alerts to show up in ACID and do away with the old "preprocessor portscan:" line in the snort.conf. Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of John Creegan Sent: Thursday, February 05, 2004 6:08 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Port scans not showing up in ACID. It's not ACID. I'm seeing them here. I'd be happy to go over the differences in our configurations if you like."Michael Steele" <michaels () winsnort com> 02/04/04 06:59PM >>>I believe it to be problem with ACID. I wish it was being actively developed. It seems the programmer has been absent for some time,
but
I think he is still around, just busy doing other projects. It's free
so
we can't expect too much :) Maybe someone else could patch it? Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Peters, Michael D. Sent: Wednesday, February 04, 2004 7:19 AM To: Snort-Users@Lists. Sourceforge. Net (E-mail) Subject: [Snort-users] Port scans not showing up in ACID. I have portscan traffic identified in my logs but I don't have it registered in the ACID %meter on the home page. I'm working with the currentsnort2.1.0 snapshot. Is there some threshold parameter of someconfigurationthat will help display this portscan activity? Best regards, Michael D. Peters ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Port scans not showing up in ACID. Peters, Michael D. (Feb 04)
- RE: Port scans not showing up in ACID. Michael Steele (Feb 04)
- <Possible follow-ups>
- RE: Port scans not showing up in ACID. John Creegan (Feb 05)
- RE: Port scans not showing up in ACID. John Creegan (Feb 05)
- RE: Port scans not showing up in ACID. Michael Steele (Feb 05)
- RE: Port scans not showing up in ACID. John Creegan (Feb 05)
- RE: Port scans not showing up in ACID. John Creegan (Feb 05)