[Snort-users] acid and demarc

Ryan Hill rhill at ...2446...
Tue Feb 26 09:49:10 EST 2002


Cliff,

I don't blame you, there are parts of the UI that just aren't overly obvious
on the included features in the product.  To sort by IP from the Event page,
simply click on the Source IP or Destination IP fields to see all alerts
triggered by the IP within the given time period.  For the 'Events' page,
I'm pretty sure that's just the last 24 hours.  To see all alerts ever
generated for an IP, you could either click in the Top Src or Top Dst IP's
window in Quick Stats OR run a search based on that IP OR show all events in
the past x days, and then click on the IP you're interested in to drill-down
the result set.

Ah, I just realized if you're looking for a page that allows you to drill
down from an IP-only display (ala ACID), you're correct, and that's missing.
Sorry about that.

Regards,

Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001


> -----Original Message-----
> From: SkatFiend at ...661... [mailto:SkatFiend at ...661...] 
> Sent: Monday, February 25, 2002 6:40 PM
> To: rhill at ...2446...
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] acid and demarc
> 
> 
> Ok, give me a sanity check here, maybe Im over looking 
> something basic, as I see it Demarc has IP search 
> capabilities, but not sorting. It does organize the "events" 
> page basied on unique alerts. However, unlike ACID where I 
> can click and sort the hits in asending or desending IP order 
> amongst other things, I have yet to see this ability in 
> Demarc. If you know of a way please let me know.
> 
> Cliff
> 




More information about the Snort-users mailing list