Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Update: snort/ACID portscan display

From: Kate Hagen <katehagenuk () yahoo co uk>
Date: Fri, 8 Feb 2002 18:25:36 +0000 (GMT)
I see nobody has answered the question, although it
has been mocked.

Well, I'm going to forge ahead, braving further
humiliation, in search of an answer -- 

I forgot to mention that I did add the path to the
portscan log in the acid_php.conf file.  I do see a
tally of portscans when I click on "portscan events"
in ACID.  

But, when I view "Most recent alerts" (for example),
and have a result of (for example):

 spp_portscan: End of portscan from 192.168.30.95:
TOTAL time(6s) hosts(15) TCP(0) UDP(30)           
2002-02-08 

-- I can't click on the IP address and get a list of
events related to that IP address, as I can with
different types of activity.  Nor does 192.168.30.95
show up in the "source" or "destination" IP address
list linked to from the "front" page of ACID.

There is no mention of this issue in any documentation
that I have found (ACID, Snort, or otherwise) except
what I discuss below, which seems to be outdated
information.

In hopes of a useful reply,
K Hagen




I am running snort 1.8.3 on mandrake 8.1 with ACID
v0.9.6b19 and MySQL 3.23.41.

Portscans appear in the ACID display, but when I
click
on the IP address, no list of portscans associated
with that IP address appear.

I read a newsgroup post dated several months back
that
ACID does not log portscans properly and that the
portscan is not actually coming from the IP address
it
appears to be coming from (according to the ACID
display).  However, when I read the Snort
portscan.log
itself, the portscans actually do appear to be
coming
from the IP addresses that ACID claims they are
coming
from.  From what little knowledge I have of php, it
appears that ACID is actually logging the source IP
correctly.  But why can I not display a list of all
portscans by source IP?

I have looked all over for more information about
this
and haven't found anything (RTFM, google,
snort.org). 
I have been reading this list for a while and
haven't
seen it mentioned, although it is quite possible I
missed it.  

Thanks for your time.


__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
 


__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: