[Snort-users] Search for UNKNOWN IP in ACID?
jwebster at ...425...
Wed Mar 7 14:16:59 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
Great suggestion!! I have other tools looking at port scans and had
though about turning off the preprocessor but this is a more elegant
- -----Original Message-----
From: Phil Wood [mailto:cpw at ...440...]
Sent: Wednesday, March 07, 2001 11:09 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Search for UNKNOWN IP in ACID?
I decided to commented out the alert logging in spp_portscan.c:
/* CallAlertFuncs(NULL , logMessage, NULL); CPW*/
/* CallAlertFuncs(NULL , logMessage, NULL); CPW */
,turned off lEXTENDED, and just check out the scan logfile for items
interest using some simple unix commands based on the old
cat massive_quantities |sort|uniq -c|sort -rn|uniq | head
This makes for a more managable acid database. But, the downside is
that it will take some more work to get timely notification of the
More than anything, I'm overwhelmed.
How's everyone else doing these days? On second thought, don't
that question. %^)
On Wed, Mar 07, 2001 at 09:29:15AM +0000, roman at ...438... wrote:
> There is no explicit way identify and delete alerts with an
> "UNKNOWN IP field". Their very existance is an aberation from
> the database logging perspective; they represent incomplete alerts.
> >From the Unique Alert listings (acid_stat_alerts.php), you can
> easily see these alerts since they will have a 0 for both unique
> source and destination. Likewise, you can further confirm these
> alerts by looking at the alert name (e.g. Mini-Frag) since all
> alerts which generate "Unknown IP fields" are well known.
> Select the appropriate alerts and delete them by using the
> pre-defined "actions" at the bottom of the screen. (Note:
> deleting from this screen will require ACID 0.9.6b5+).
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > I have a large number of alerts in ACID with an IP address of
> > UNKNOWN. I understand that these are generated from the
> > preprocessors (port scan, frag detect, etc.) but I can not figure
> > out how to delete these alerts. Any ideas how to search/delete
> > records with an UNKNOWN IP field?
> > Thanks in advance,
> > Jim Webster
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.3
> > iQA/AwUBOqVw4XqoKdiuIf91EQL4rQCdHGq0TxrvMj5tmIdHBce4H4y3BK8AnAnB
> > 8kZBXHUD0VVFyB5jRQnGrSJi
> > =aagu
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> This message was sent using Voicenet WebMail.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
Phil Wood, cpw at ...440...
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3
-----END PGP SIGNATURE-----
More information about the Snort-users