RE: ACID Portscan Traffic (0%)

[Robby Desmond <rdesmond () els ucsb edu>]

At 03:23 PM 12/11/2002 -0500, Luo, Philip wrote:
> I am having the same problem. I did check the acid_conf.php file, it looks
> ok, and my scan.log is getting bigger, which ACID can not show.

There are a couple issues here, and Roman (or anyone on the acidlabs team) 
should correct me if they are incorrect.

1) ACID's portscan meter on the home page only works if you have 'log' 
instead of 'alert' for the DB output plugin, since that is the only way to 
get the portscan/2 preprocessor-generated messages, otherwise they just get 
put in the scan.log file, and ACID doesn't use that for the meter.

2) You can see the portscan activity with ACID. When you examine a specific 
IP, there is the option in the upper right corner to "view events ... 
Portscan". Clicking that lets you see the portscan events for that host.

BUT...

3) Currently, the scan.log is in a different format than ACID expects. 
(Change from 1.8.x to 1.9.x) You can't actually see the portscan events, 
but you can see if the table has any rows and then grep the addy out of 
your scan.log by hand. (Yes it's messy. If you really have a problem, join 
the acidlabs development team.)


In the end, remember that I am just an ACID user, not a developer, so 
someone involved with the project might have more info.

HTH,
-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906



-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users