[Snort-users] 2 bugs in ACID v0.9.6b17

roman at ...438... roman at ...438...
Thu Nov 1 14:12:13 EST 2001



> On the main screen, click on the percentage of total traffic link for
> portscans.  After the first page of portscan data is displayed, click on the
> "Unique addresses: source" link in the "Summary Statistics" box.  Although 
> all my portscans are identified with source IP addresses, clicking on this 
> link shows that all addresses are unknown.  I would have expected a summary
> breakdown of all the unique IP addresses that portscanned me.

This is not a bug.  The IP addresses associated with portscans are not    
actually stored in the database.  The fact that you see source addresses  
in the alert listing page is misleading, since this is achieved with "text
mangling" of the signature.  If you have a copy of the portscan.log, you  
can set it in $portscan_file of acid_conf.php and view what portscans a  
particular IP generated.  However, getting a list of unique address which
generated portscans is currently not possible.

> The second bug relates to a link that points to the ports database:


> payload.  In the TCP section, click on either the source or destination port
> link.  These currently point to http://www.snort.org whereas I believe they
> should be pointing to http://www.portsdb.org/.  The $external_port_link
> variable defined in my acid_conf.php file is set to

This was fixed in CVS earlier this week.


This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list