[Snort-users] Update: snort/ACID portscan display
katehagenuk at ...1396...
Fri Feb 8 10:26:06 EST 2002
I see nobody has answered the question, although it
has been mocked.
Well, I'm going to forge ahead, braving further
humiliation, in search of an answer --
I forgot to mention that I did add the path to the
portscan log in the acid_php.conf file. I do see a
tally of portscans when I click on "portscan events"
But, when I view "Most recent alerts" (for example),
and have a result of (for example):
spp_portscan: End of portscan from 192.168.30.95:
TOTAL time(6s) hosts(15) TCP(0) UDP(30)
-- I can't click on the IP address and get a list of
events related to that IP address, as I can with
different types of activity. Nor does 192.168.30.95
show up in the "source" or "destination" IP address
list linked to from the "front" page of ACID.
There is no mention of this issue in any documentation
that I have found (ACID, Snort, or otherwise) except
what I discuss below, which seems to be outdated
In hopes of a useful reply,
> I am running snort 1.8.3 on mandrake 8.1 with ACID
> v0.9.6b19 and MySQL 3.23.41.
> Portscans appear in the ACID display, but when I
> on the IP address, no list of portscans associated
> with that IP address appear.
> I read a newsgroup post dated several months back
> ACID does not log portscans properly and that the
> portscan is not actually coming from the IP address
> appears to be coming from (according to the ACID
> display). However, when I read the Snort
> itself, the portscans actually do appear to be
> from the IP addresses that ACID claims they are
> from. From what little knowledge I have of php, it
> appears that ACID is actually logging the source IP
> correctly. But why can I not display a list of all
> portscans by source IP?
> I have looked all over for more information about
> and haven't found anything (RTFM, google,
> I have been reading this list for a while and
> seen it mentioned, although it is quite possible I
> missed it.
> Thanks for your time.
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
More information about the Snort-users