Snort mailing list archives
good ACID gone bad
From: Jon Hart <jhart () ccs neu edu>
Date: Mon, 11 Feb 2002 09:27:54 -0500
So I recently made the switch from snort-1.8.3 to snort-stable. I log to a mysql database, and use ACID as the make-pretty frontend. Just recently, I started noticing wierdness with spp_portscan. What happens is that while viewing alerts in ACID, the message will say something like the following: spp_portscan detected on xl0 to port 47666 from x.y.z.2 (STEALTH) But the source IP address will be something completely different, such as: a.b.c.3 So I go and view the actual logs on the sensor itself. a.b.c.3 has actual logs, and suprise suprise, it's all CodeRed/Nimda/<insert IIS worm of the day here>. x.y.z.2 does in fact show up in the logs, but only in the portscan logs. Ok, so I at least know snort is logging the stuff correctly, but something appears to be going wonky between snort detecting it, snort logging to mysql, and me querying mysql via ACID. ACID is rev'd to 0.9.6b20, snort is at snort-stable, and I'm using the schema suggested for both snort-1.8.3 and snort-stable. The one oddity that might explain this is "Duplicate entry" messages spewed by mysql. These error messages just started started two days ago, and now that I think about it, right about the time when ACID started apparently acting weird. Any suggestions as to where i should look for problems? I'm thinking that I might be underpowered here, as I'm currently dropping anywhere between 10 and 20% of my packets. I'm currently monitoring 300+ machines that live on a 10/100mb LAN. One interface sees between 2 and 4mbits/s, whereas the other interface sees an average of about 30mbits/s. Is it time for more hardware here? Thoughts? -jon _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- good ACID gone bad Jon Hart (Feb 11)