[Snort-users] Update: snort/ACID portscan display

Erek Adams erek at ...577...
Fri Feb 8 10:49:07 EST 2002


On Fri, 8 Feb 2002, [iso-8859-1] Kate Hagen wrote:

> I see nobody has answered the question, although it
> has been mocked.

Errr...  Guess that would have been me.  :-/

> Well, I'm going to forge ahead, braving further
> humiliation, in search of an answer --

Dandy!  We love having people willing to bear the brunt of learning!  :)


[...snip...]

> -- I can't click on the IP address and get a list of
> events related to that IP address, as I can with
> different types of activity.  Nor does 192.168.30.95
> show up in the "source" or "destination" IP address
> list linked to from the "front" page of ACID.
>
> There is no mention of this issue in any documentation
> that I have found (ACID, Snort, or otherwise) except
> what I discuss below, which seems to be outdated
> information.

[...snip...]

To be honest, this is one of the oldest questions that we've seen on the list.
It rolls around every now and again.  The following isn't really the 'perfect'
answer to your question, but it does sum it up fairly well:

   http://acidlab.sourceforge.net/acid_faq.html#faq_c3

So, following that...  The spp_portscan processor does _not_ spit out DB
friendly data.  There has been quite a bit of talk about re-writing the
portscan processor, but due to the upcoming 2.0 release, it's kinda taken a
back seat to other issues.

If you really want to have the portscans in there, you _could_ script some
perl/C/whatever to grok the portscan.log file and then do inserts into the DB.
That's the way that I think some folks are doing it.

Here's hoping this was a useful reply!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list