[Snort-users] ACID portscan log parsing (0.9.6b21)

Robby rdesmond at ...6547...
Wed Aug 7 08:11:05 EDT 2002


Dunno if this is improved already in another version of ACID, but since I'm 
no PHP whiz, I gotta ask:

why does the ereg function in the portscan.log parsing section of ACID 
(acid_stat_ipaddr.php -> PrintPortscanEvents($db,$ip) ) match not only 
xxx.xxx.xxx.10 but also xxx.xxx.xxx.10x (initial 3 dot triplets are the 
same, but final is similar, but is 100 or 101 etc.) when I ask for the 
porscan events on xxx.xxx.xxx.10/32?

It makes for excessively long tables when requesting portscan events.

Am I asking the wrong people?
-Robby


Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906





More information about the Snort-users mailing list