[Snort-users] good ACID gone bad

Jon Hart jhart at ...2692...
Mon Feb 11 06:28:20 EST 2002


So I recently made the switch from snort-1.8.3 to snort-stable.  

I log to a mysql database, and use ACID as the make-pretty frontend.  Just
recently, I started noticing wierdness with spp_portscan.  What happens is
that while viewing alerts in ACID, the message will say something like the
following:

 spp_portscan detected on xl0 to port 47666 from x.y.z.2 (STEALTH)  

But the source IP address will be something completely different, such as:

 a.b.c.3  

So I go and view the actual logs on the sensor itself.  a.b.c.3 has actual
logs, and suprise suprise, it's all CodeRed/Nimda/<insert IIS worm of the
day here>.  x.y.z.2 does in fact show up in the logs, but only in the
portscan logs.  Ok, so I at least know snort is logging the stuff
correctly, but something appears to be going wonky between snort detecting
it, snort logging to mysql, and me querying mysql via ACID.  

ACID is rev'd to 0.9.6b20, snort is at snort-stable, and I'm using the
schema suggested for both snort-1.8.3 and snort-stable.  

The one oddity that might explain this is "Duplicate entry" messages spewed
by mysql.  These error messages just started started two days ago, and now
that I think about it, right about the time when ACID started apparently
acting weird. 

Any suggestions as to where i should look for problems?  I'm thinking that
I might be underpowered here, as I'm currently dropping anywhere between 10
and 20% of my packets.  I'm currently monitoring 300+ machines that live on
a 10/100mb LAN.   One interface sees between 2 and 4mbits/s, whereas the
other interface sees an average of about 30mbits/s.  Is it time for more
hardware here?  

Thoughts?

-jon




More information about the Snort-users mailing list