[Snort-users] Acid Protocol prob. (all alerts reported as ICMP)

box.inter-tel.net chris at ...714...
Mon Oct 30 19:00:38 EST 2000


I just clicked on the TCP 0% link and sure enough my TCP events were there,
just no where near as many as ICMP.  I made an assumption that when I
clicked on a particular protocols link I would see only events for that
protocol. I never even bothered to check the other protocols links to see if
anything showed up.  My bad.

Looks as if the .5% rounding down is the case.  With that taken into
consideration, every thing is working perfectly.

Thanks Roman!

chris r.


----- Original Message -----
From: "Roman Danyliw" <roman at ...438...>
To: "box.inter-tel.net" <chris at ...714...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Monday, October 30, 2000 2:39 PM
Subject: Re: [Snort-users] Acid Protocol prob. (all alerts reported as ICMP)


> Chris,
>
> To reiterate what you have said:
>  - you are using ACID 0.9.5b6
>  - you loaded b6 and off the main status page it seems that UDP, TCP are
> coming up 0%, while ICMP is 100% despite the fact that all the alerts is
> not ICMP.
>  - re-loading b4 does not fix the problem.
>  - You note that when you go to the "Unique Alerts", and zero in on a
> non-ICMP alert the correct results are returned.
>
> One possibility is that most of your alerts were ICMP, and as a
> percentage, its # of occurances is much higher than the other protocols
> (i.e. all other  traffic is statistically insignificant in comparison to
> ICMP).  When calculating the protocol percentages for the main ACID
> screen anything which is less than 0.5% is rounded down to 0%.  To
> confirm this look at the percents of each corresponding alert in the
> "Unique Alert" page.  Likewise, what happens when you click on the "0%" of
> TCP or UDP?  How about "Last-15 Alerts of TCP and UDP?  Do you get the
> expected results?
>
> Please let me know,
> Roman
>
> On Mon, 30 Oct 2000, box.inter-tel.net wrote:
>
> > I just upgraded snort on all of my collectors to the current CVS
> > version, grabbed the latest b6 version of A$>
> > Has anyone else observed and resolved this problem?  I'm sure it is
> > something I have blundered, but I cannot$>
> > Secondly is there an archive of this list where I could check to make
> > sure I am not asking something that ha$>
> > Thanks!
> >
> > chris r.
> >
>
>




More information about the Snort-users mailing list