[Snort-users] acid v0.9.5 addon.

Blake Frantz blake at ...319...
Thu Jun 28 16:26:02 EDT 2001


Hello,

When the snort portscan preprocessor triggers it creates a log called
'portscan.log.' The contents of this log, which are the scanned hosts, are
ignored by ACID.  I made the following changes to enable the user to view
this data:

at line 980 in acid_pkt_sqlcalls.php I made the following changes:

<original>
      else  
            echo '   <A HREF="acid_app_faq.php#1">unknown</A>';
</original>

<changed>
      else  {
         if( ereg("spp_portscan:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)", $myrow[2],$store)) {
            echo  '<a href="acid_show_ps.php?ip='.$store[1].'">'.$store[1].'</a> ';
         }else {
            echo '   <A HREF="acid_app_faq.php#1">unknown</A>';
         }
     }
</changed>

If there alert is a portscan, it searches for the IP and places it in the
'Source Address' column.

I then created the file acid_show_ps.php which can be downloaded from:
http://www.packethack.com/snort/acid_show_ps.php
	
an example of the output can be seen at:
http://www.packethack.com/snort/output_example.html

acid_show_ps.php takes the contents of 'portscan.log' and puts it in table
format.

You can also download the source from:
http://www.packethack.com/snort/acid_show_ps.php

I through it together rather quickly so  any improvments are welcome.	

Blake Frantz

================================================================= 
The Government, like diapers, should be replaced regularly, and
often for the same reasons. 






More information about the Snort-users mailing list