[Snort-users] ACID 0.9.6b14 questions

roman at ...438... roman at ...438...
Mon Sep 17 07:20:02 EDT 2001


On Mon, 17 Sep 2001, Poppi, Sandro wrote:

> I'm having some probs regarding acid 0.9.6b14 in conjunction with snort
> 1.8.1 on a RedHat 7.0 box with mysql 3.23.32:
>
> 1. Using any of the new Snapshot entries
>
>       Last Source Ports: any , TCP , UDP
>       Last Destination Ports: any , TCP , UDP
>
> results in
>
>       Database ERROR:You have an error in your SQL syntax near '' at line
> 1
>
> All other functions I tested work (nearly) as expected (see 2.)
  
Update to the newly released v0.9.6b15.

(Download from the mirror:
http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html,
since I am having issues connecting to sourceforge)
  
> 2. The search form and querying only for an ip address does not work for
> portscan alerts. If the given ip address is only logged for portscan alerts
> it can't be queried, if there are other alarms for the ip address they will
> be shown.
  
Your observation is correct.  Portscan alerts cannot be queried by a IP
criteria.  These type of alerts can only be identified through a criteria
of signature, time, classification, alert group, or sensor.  This
limitation is due to the current design of the portscan
pre-processor.  The database does not actually store any information about
the occurance of a portscan, other than the fact that it occured; data
such as the source IP address and the target ports are never stored.
Hence, the IP address cannot be used as a search criteria for these
alerts since they are never stored in the database.  ACID appears to display 
a source IP address for portscan alerts, but this is merely text mangling of the 
signature name (i.e. this is not information taken from the database).

Roman


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list