Re: search by port in ACID

["Roman Danyliw" <roman () danyliw com>]

You can indeed search by port.  The only limitation is that searches are limited
to a single layer-4 protocol at a time (i.e. can't search UDP and TCP 137/139 at
the same time).

1. Click on "Search" from the Main screen

2. Click on the "TCP" or "UDP" button under IP criteria

3. Under "Port", choose: __ destination = 137 __ OR

4. click "ADD TCP/UDP port"

5. In the second "Port" row, choose: __ destination = 139 __ __

6. Click "Query DB"

cheers,
Roman

On Fri, 08 Mar 2002 15:26:15 -0800, Roelof JT Jonkman <roel () SiliconDefense com>
wrote :

> Michael,
>
> > Is there a way to specify a port when doing a search in ACID?  I want to
search for all alerts going to destination ports 137 and 139 but the search page
does not seem to have an
> > option to search by port.
>
> Isn't quite straightforward, however, on the main screen, select 'source
ports' 
> or 'destination ports', go to port 137 or 139, and click on the number
> that is under the column 'occurences'.
>
> That gives you a list of alerts for the chosen port. It quite what you're
asking
> for, however it might do the job for you.
>
> Roel Jonkman
> Security Engineer
> http://www.SiliconDefense.com
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users