RE: Port scans not showing up in ACID.

["John Creegan" <jcreegan () questarweb com>]

Mine does, but not until the percentage of portscan traffic reaches at
least 1 percent of total traffic (see the function
PrintProtocolProfileGraphs in the acid_common.php page.)  Also, I'm
using the newer portscan2 preprocessor.  It appears you're using the
original portscan preprocessor.

> > > "Michael Steele" <michaels () winsnort com> 02/05/04 11:53AM >>>
John,

Thanks for offering to look at this. We have just updated to 2.1.0.

In ACID if I view the entire list of alerts I can see the portscans.

----------\
spp\_portscan: portscan status from 69.56.144.70: 7 connections across
1
hosts: TCP(7), UDP(0)
----------/

Shouldn't this alert show up in the "Portscan Traffic (%)" group on the
home
page of ACID?

I updated from 2.0.6 to 2.1.0 and added my 2.06 portscan line back into
the
snort.conf but Snort fails to show the portscans in the "Portscan
Traffic
(%)" group on the ACID homepage.

preprocessor portscan: $HOME_NET 4 3 \IDS\Snort\log\portscan.log

The log is being created and populated. I think this is the same
situation
as the rest are reporting.

I realize that the developers left the "preprocessor portscan:"
variable out
of the snort.conf config file but left in the code that still deals
with it.
Is there a way to set the new preprocessor for portscans that will
allow the
alerts to show up in ACID and do away with the old "preprocessor
portscan:"
line in the snort.conf.

Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support () winsnort com 
Website: http://www.winsnort.com 
Snort: Open Source Network IDS - http://www.snort.org 


> -----Original Message-----
> From: snort-users-admin () lists sourceforge net [mailto:snort-users-
> admin () lists sourceforge net] On Behalf Of John Creegan
> Sent: Thursday, February 05, 2004 6:08 AM
> To: snort-users () lists sourceforge net 
> Subject: RE: [Snort-users] Port scans not showing up in ACID.
>
> It's not ACID.  I'm seeing them here.  I'd be happy to go over the
> differences in our configurations if you like.
>
> > > > "Michael Steele" <michaels () winsnort com> 02/04/04 06:59PM >>>
> I believe it to be problem with ACID. I wish it was being actively
> developed. It seems the programmer has been absent for some time,
but
> I
> think he is still around, just busy doing other projects. It's free
so
> we
> can't expect too much :)
>
> Maybe someone else could patch it?
>
> Kindest regards,
>
> The WINSNORT.com Management Team
> --
> Pick up your FREE Windows or UNIX Snort installation guides
> mailto:support () winsnort com 
> Website: http://www.winsnort.com 
> Snort: Open Source Network IDS - http://www.snort.org 
>
>
>
> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net [mailto:snort-users-
> > admin () lists sourceforge net] On Behalf Of Peters, Michael D.
> > Sent: Wednesday, February 04, 2004 7:19 AM
> > To: Snort-Users@Lists. Sourceforge. Net (E-mail)
> > Subject: [Snort-users] Port scans not showing up in ACID.
> >
> > I have portscan traffic identified in my logs but I don't have it
> > registered
> > in the ACID %meter on the home page. I'm working with the current
> snort
> > 2.1.0 snapshot. Is there some threshold parameter of some
> configuration
> > that
> > will help display this portscan activity?
> >
> > Best regards,
> >
> > Michael D. Peters
> >
> >
> >
> > -------------------------------------------------------
> > The SF.Net email is sponsored by EclipseCon 2004
> > Premiere Conference on Open Tools Development and Integration
> > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> > http://www.eclipsecon.org/osdn 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net 
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>
>
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>
>
> This message (including any attachments) contains confidential
> information intended for a specific individual and purpose,
> and is protected by law.  If you are not the intended recipient,
> you should delete this message and are hereby notified that any
> disclosure,copying, or distribution of this message, or the taking
> of any action based on it, is strictly prohibited.
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 




This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users