[Snort-users] Acid Protocol prob. (all alerts reported as ICMP)

Roman Danyliw roman at ...438...
Mon Oct 30 17:39:20 EST 2000


To reiterate what you have said:
 - you are using ACID 0.9.5b6
 - you loaded b6 and off the main status page it seems that UDP, TCP are
coming up 0%, while ICMP is 100% despite the fact that all the alerts is
not ICMP.
 - re-loading b4 does not fix the problem.
 - You note that when you go to the "Unique Alerts", and zero in on a
non-ICMP alert the correct results are returned.  

One possibility is that most of your alerts were ICMP, and as a
percentage, its # of occurances is much higher than the other protocols
(i.e. all other  traffic is statistically insignificant in comparison to
ICMP).  When calculating the protocol percentages for the main ACID
screen anything which is less than 0.5% is rounded down to 0%.  To
confirm this look at the percents of each corresponding alert in the
"Unique Alert" page.  Likewise, what happens when you click on the "0%" of
TCP or UDP?  How about "Last-15 Alerts of TCP and UDP?  Do you get the
expected results?

Please let me know,

On Mon, 30 Oct 2000, box.inter-tel.net wrote:

> I just upgraded snort on all of my collectors to the current CVS
> version, grabbed the latest b6 version of A$>
> Has anyone else observed and resolved this problem?  I'm sure it is
> something I have blundered, but I cannot$>
> Secondly is there an archive of this list where I could check to make
> sure I am not asking something that ha$>
> Thanks!
> chris r.

