[Snort-users] acid v0.9.5 addon.

Blake Frantz blake at ...319...
Thu Jun 28 16:26:02 EDT 2001


When the snort portscan preprocessor triggers it creates a log called
'portscan.log.' The contents of this log, which are the scanned hosts, are
ignored by ACID.  I made the following changes to enable the user to view
this data:

at line 980 in acid_pkt_sqlcalls.php I made the following changes:

            echo '   <A HREF="acid_app_faq.php#1">unknown</A>';

      else  {
         if( ereg("spp_portscan:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)", $myrow[2],$store)) {
            echo  '<a href="acid_show_ps.php?ip='.$store[1].'">'.$store[1].'</a> ';
         }else {
            echo '   <A HREF="acid_app_faq.php#1">unknown</A>';

If there alert is a portscan, it searches for the IP and places it in the
'Source Address' column.

I then created the file acid_show_ps.php which can be downloaded from:
an example of the output can be seen at:

acid_show_ps.php takes the contents of 'portscan.log' and puts it in table

You can also download the source from:

I through it together rather quickly so  any improvments are welcome.	

Blake Frantz

The Government, like diapers, should be replaced regularly, and
often for the same reasons. 

More information about the Snort-users mailing list