Snort mailing list archives
acid v0.9.5 addon.
From: Blake Frantz <blake () mc net>
Date: Thu, 28 Jun 2001 15:26:02 -0500 (CDT)
Hello, When the snort portscan preprocessor triggers it creates a log called 'portscan.log.' The contents of this log, which are the scanned hosts, are ignored by ACID. I made the following changes to enable the user to view this data: at line 980 in acid_pkt_sqlcalls.php I made the following changes: <original> else echo ' <A HREF="acid_app_faq.php#1">unknown</A>'; </original> <changed> else { if( ereg("spp_portscan:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)", $myrow[2],$store)) { echo '<a href="acid_show_ps.php?ip='.$store[1].'">'.$store[1].'</a> '; }else { echo ' <A HREF="acid_app_faq.php#1">unknown</A>'; } } </changed> If there alert is a portscan, it searches for the IP and places it in the 'Source Address' column. I then created the file acid_show_ps.php which can be downloaded from: http://www.packethack.com/snort/acid_show_ps.php an example of the output can be seen at: http://www.packethack.com/snort/output_example.html acid_show_ps.php takes the contents of 'portscan.log' and puts it in table format. You can also download the source from: http://www.packethack.com/snort/acid_show_ps.php I through it together rather quickly so any improvments are welcome. Blake Frantz ================================================================= The Government, like diapers, should be replaced regularly, and often for the same reasons. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- acid v0.9.5 addon. Blake Frantz (Jun 28)