[Snort-users] ACID Portscan Traffic (0%)

Pacheco, Michael F. MPacheco at ...6219...
Wed Dec 11 13:01:10 EST 2002


scan.log ? - that sounds like your using snort 1.9x - If you are that means
you could be using the portscan2 preprocessor.  ACID does not understand the
portscan2 output yet - it only understands how to display portscan1
(portscan) preprocessor output. The php display code for ACID has to be
rewritten (as of ACID 0.9.6b22) to accomodate the new portscan2 output
format.

In snort.conf - just change your portscan preprocessor line to the old
"portscan" line from snort 1.8 branch - 1.9 is backwards compatable and will
work and output to ACID in the format ACID needs to display ie:

ie:

# Portscan2

# Portscan2
#-------------------------------------------
# Portscan 2, detect portscans in a new and exciting way.
#
# Available options:
#       scanners_max [num]
#       targets_max [num]
#       target_limit [num]
#       port_limit [num]
#       timeout [num]
#       log [logdir]

#preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit
10, port_limit 20, timeout 60
preprocessor portscan: $HOME_NET 4 3 portscan.log


The other thing is to make sure you are outputting to alert - not log.

Thats my two cents ---

Mike

P.S. - Anybody have an idea when ACID will be rewritten for Portscan2?

-----Original Message-----
From: Luo, Philip [mailto:Philip_Luo at ...4729...]
Sent: Wednesday, December 11, 2002 3:23 PM
To: Snort Users (E-mail)
Subject: RE: [Snort-users] ACID Portscan Traffic (0%)


I am having the same problem. I did check the acid_conf.php file, it looks
ok, and my scan.log is getting bigger, which ACID can not show.

-----Original Message-----
From: Hicks, John [mailto:JHicks at ...5857...] 
Sent: Wednesday, December 11, 2002 11:13 AM
To: 'Gary Borgeson'; Snort Users (E-mail)
Subject: RE: [Snort-users] ACID Portscan Traffic (0%)



More information about the Snort-users mailing list