[Snort-users] PortScans no longer showing up in ACID Console

Hughes, Tim tim.hughes at ...1513...
Wed Apr 11 17:09:48 EDT 2001

The output I get from the command is:

bash$ psql snort
Welcome to psql, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help on internal slash commands
       \g or terminate with semicolon to execute query
       \q to quit

snort=# select * from signature where sig_name like 'spp_portscan%';
ERROR:  Relation 'signature' does not exist
snort=# \d
            List of relations
       Name        |   Type   |  Owner
 acid_ag           | table    | postgres
 acid_ag_ag_id_seq | sequence | postgres
 acid_ag_alert     | table    | postgres
 data              | table    | postgres
 detail            | table    | postgres
 encoding          | table    | postgres
 event             | table    | postgres
 flags             | table    | postgres
 icmphdr           | table    | postgres
 iphdr             | table    | postgres
 opt               | table    | postgres
 protocols         | table    | postgres
 sensor            | table    | postgres
 sensor_sid_seq    | sequence | postgres
 services          | table    | postgres
 tcphdr            | table    | postgres
 udphdr            | table    | postgres
(17 rows)


However, when I execute "SELECT * from events where signature like
'spp_portscan%';" I receive:  ( There are only a couple of scans in the
database, as I cleared the old ones this morning using ACID v0.9.6b7.)

snort=# select * from event where signature like 'spp_portscan%';
 sid | cid  |                                              signature
|       timestamp
   2 | 6594 | spp_portscan: PORTSCAN DETECTED from (THRESHOLD
15 connections exceeded in 3 seconds) | 2001-04-11 17:02:52-05
   2 | 6603 | spp_portscan: portscan status from 19
connections across 1 hosts: TCP(0), UDP(19)    | 2001-04-11 17:06:44-05
(2 rows)


I currently running snort logging to Postgresql7.1beta5, and Snort 1.7.  For
the ACID Console, I have both v0.9.6b8 from CVS as my primary console, and
v0.9.6b7 as a backup on the same box. (In separate directories).  Beta 7
seems to see all of the Events.

Thanks for any help.


-----Original Message-----
From: roman at ...438... [mailto:roman at ...438...]
Sent: Wednesday, April 11, 2001 8:11 AM
To: Hughes; Tim
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] PortScans no longer showing up in ACID


There has been no significant change in how ACID handles portscans.
Can you confirm that the alerts are being written to the database?
Try the following sql from you db client:

SELECT * FROM signature WHERE sig_name like 'spp_portscan%';

Do you get results?


> I just switched to ACID v0.9.6b8 from the CVS Archive, and now portscan no
> longer show up in the Alert listing.  When I use an older version of ACID,
> see all of the unique alerts (i.e.  all of the portscans.).  Does anyone
> know if there has been a change in ACID's handling of portscan alerts?
> Tim Hughes
> Network Engineer
> MCurve, Inc.
> tph at ...1513...
> (847) 843-8200
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list