[Snort-users] Acid Protocol prob. (all alerts reported as ICMP)
chris at ...714...
Mon Oct 30 19:00:38 EST 2000
I just clicked on the TCP 0% link and sure enough my TCP events were there,
just no where near as many as ICMP. I made an assumption that when I
clicked on a particular protocols link I would see only events for that
protocol. I never even bothered to check the other protocols links to see if
anything showed up. My bad.
Looks as if the .5% rounding down is the case. With that taken into
consideration, every thing is working perfectly.
----- Original Message -----
From: "Roman Danyliw" <roman at ...438...>
To: "box.inter-tel.net" <chris at ...714...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Monday, October 30, 2000 2:39 PM
Subject: Re: [Snort-users] Acid Protocol prob. (all alerts reported as ICMP)
> To reiterate what you have said:
> - you are using ACID 0.9.5b6
> - you loaded b6 and off the main status page it seems that UDP, TCP are
> coming up 0%, while ICMP is 100% despite the fact that all the alerts is
> not ICMP.
> - re-loading b4 does not fix the problem.
> - You note that when you go to the "Unique Alerts", and zero in on a
> non-ICMP alert the correct results are returned.
> One possibility is that most of your alerts were ICMP, and as a
> percentage, its # of occurances is much higher than the other protocols
> (i.e. all other traffic is statistically insignificant in comparison to
> ICMP). When calculating the protocol percentages for the main ACID
> screen anything which is less than 0.5% is rounded down to 0%. To
> confirm this look at the percents of each corresponding alert in the
> "Unique Alert" page. Likewise, what happens when you click on the "0%" of
> TCP or UDP? How about "Last-15 Alerts of TCP and UDP? Do you get the
> expected results?
> Please let me know,
> On Mon, 30 Oct 2000, box.inter-tel.net wrote:
> > I just upgraded snort on all of my collectors to the current CVS
> > version, grabbed the latest b6 version of A$>
> > Has anyone else observed and resolved this problem? I'm sure it is
> > something I have blundered, but I cannot$>
> > Secondly is there an archive of this list where I could check to make
> > sure I am not asking something that ha$>
> > Thanks!
> > chris r.
More information about the Snort-users