[Snort-users] Search for UNKNOWN IP in ACID?

Phil Wood cpw at ...440...
Wed Mar 7 11:09:19 EST 2001


I decided to commented out the alert logging in spp_portscan.c:
        /* CallAlertFuncs(NULL , logMessage, NULL); CPW*/
        /* CallAlertFuncs(NULL , logMessage, NULL); CPW */
,turned off lEXTENDED, and just check out the scan logfile for items of
interest using some simple unix commands based on the old

  cat massive_quantities |sort|uniq -c|sort -rn|uniq | head

construct.

This makes for a more managable acid database.  But, the downside is
that it will take some more work to get timely notification of the scans.

More than anything, I'm overwhelmed.

How's everyone else doing these days?  On second thought, don't answer
that question. %^)

On Wed, Mar 07, 2001 at 09:29:15AM +0000, roman at ...438... wrote:
> There is no explicit way identify and delete alerts with an 
> "UNKNOWN IP field".  Their very existance is an aberation from
> the database logging perspective; they represent incomplete alerts.  
> 
> >From the Unique Alert listings (acid_stat_alerts.php), you can 
> easily see these alerts since they will have a 0 for both unique
> source and destination.  Likewise, you can further confirm these alerts
> by looking at the alert name (e.g. Mini-Frag) since all those
> alerts which generate "Unknown IP fields"  are well known.
> Select the appropriate alerts and delete them by using the 
> pre-defined "actions" at the bottom of the screen.  (Note: 
> deleting from  this screen will require ACID 0.9.6b5+).
> 
> cheers,
> Roman
> 
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > I have a large number of alerts in ACID with an IP address of
> > UNKNOWN.  I understand that these are generated from the
> > preprocessors (port scan, frag detect, etc.) but I can not figure out
> > how to delete these alerts.  Any ideas how to search/delete records
> > with an UNKNOWN IP field?
> > 
> > Thanks in advance,
> > Jim Webster
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.3
> > 
> > iQA/AwUBOqVw4XqoKdiuIf91EQL4rQCdHGq0TxrvMj5tmIdHBce4H4y3BK8AnAnB
> > 8kZBXHUD0VVFyB5jRQnGrSJi
> > =aagu
> > -----END PGP SIGNATURE-----
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > 
> 
> 
> 
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list