[Snort-users] ACID portscan log parsing (0.9.6b21)
rdesmond at ...6547...
Wed Aug 7 08:11:05 EDT 2002
Dunno if this is improved already in another version of ACID, but since I'm
no PHP whiz, I gotta ask:
why does the ereg function in the portscan.log parsing section of ACID
(acid_stat_ipaddr.php -> PrintPortscanEvents($db,$ip) ) match not only
xxx.xxx.xxx.10 but also xxx.xxx.xxx.10x (initial 3 dot triplets are the
same, but final is similar, but is 100 or 101 etc.) when I ask for the
porscan events on xxx.xxx.xxx.10/32?
It makes for excessively long tables when requesting portscan events.
Am I asking the wrong people?
UCSB Extended Learning Services
More information about the Snort-users