[Snort-users] ACID 0.9.6b14 questions

roman at ...438... roman at ...438...
Mon Sep 17 07:20:02 EDT 2001

On Mon, 17 Sep 2001, Poppi, Sandro wrote:

> I'm having some probs regarding acid 0.9.6b14 in conjunction with snort
> 1.8.1 on a RedHat 7.0 box with mysql 3.23.32:
> 1. Using any of the new Snapshot entries
>       Last Source Ports: any , TCP , UDP
>       Last Destination Ports: any , TCP , UDP
> results in
>       Database ERROR:You have an error in your SQL syntax near '' at line
> 1
> All other functions I tested work (nearly) as expected (see 2.)
Update to the newly released v0.9.6b15.

(Download from the mirror:
since I am having issues connecting to sourceforge)
> 2. The search form and querying only for an ip address does not work for
> portscan alerts. If the given ip address is only logged for portscan alerts
> it can't be queried, if there are other alarms for the ip address they will
> be shown.
Your observation is correct.  Portscan alerts cannot be queried by a IP
criteria.  These type of alerts can only be identified through a criteria
of signature, time, classification, alert group, or sensor.  This
limitation is due to the current design of the portscan
pre-processor.  The database does not actually store any information about
the occurance of a portscan, other than the fact that it occured; data
such as the source IP address and the target ports are never stored.
Hence, the IP address cannot be used as a search criteria for these
alerts since they are never stored in the database.  ACID appears to display 
a source IP address for portscan alerts, but this is merely text mangling of the 
signature name (i.e. this is not information taken from the database).


This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list