Snort mailing list archives
Re: ACID gives erroneous information
From: "Josh Berry" <josh.berry () netschematics com>
Date: Sun, 29 Feb 2004 12:41:00 -0600 (CST)
ACID is just a cache for alerts. When you delete alerts out of ACID I don't believe that it deletes them out of the Snort tables. Therefore if you deleted some alerts out of ACID they will still be in the Snort event table and therefore you will see a difference in the amount. I am not sure about this but I think that is what is happening.
Hi, I'm using ACID to see the Snort output, but when checking with the raw data, I see some mysterious results: In my event table, I see 80 events (it's just a recently reseted test environment :-) ), but acid_alert only contains 38 records! All other data (number of destination IP's and so on that ACID gives are wrong to (logic, as ACID hasn't used all the records it should use...) What goes wrong? Or is there a way to interpret the events that I'm unaware of? (i.e. are not all different records, different alerts?) This still leaves me with the question why there are more IP destinations found when I join event on iphdr (on sid and cid), as distinct ip addresses clearly belong to different event recordings... Greetings, Erwin Van de Velde Student of University of Antwerp Belgium ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID gives erroneous information Erwin Van de Velde (Feb 29)
- Re: ACID gives erroneous information Josh Berry (Feb 29)
- Re: ACID gives erroneous information Erwin Van de Velde (Feb 29)
- Re: ACID gives erroneous information Josh Berry (Feb 29)