[Snort-users] search by port in ACID

Roman Danyliw roman at ...438...
Sat Mar 9 13:09:20 EST 2002


You can indeed search by port.  The only limitation is that searches are limited
to a single layer-4 protocol at a time (i.e. can't search UDP and TCP 137/139 at
the same time).

1. Click on "Search" from the Main screen

2. Click on the "TCP" or "UDP" button under IP criteria

3. Under "Port", choose: __ destination = 137 __ OR

4. click "ADD TCP/UDP port"

5. In the second "Port" row, choose: __ destination = 139 __ __

6. Click "Query DB"

cheers,
Roman

On Fri, 08 Mar 2002 15:26:15 -0800, Roelof JT Jonkman <roel at ...47...>
wrote :

> Michael,
> 
> > Is there a way to specify a port when doing a search in ACID?  I want to
search for all alerts going to destination ports 137 and 139 but the search page
does not seem to have an
> > option to search by port.
> 
> Isn't quite straightforward, however, on the main screen, select 'source
ports' 
> or 'destination ports', go to port 137 or 139, and click on the number
> that is under the column 'occurences'.
> 
> That gives you a list of alerts for the chosen port. It quite what you're
asking
> for, however it might do the job for you.
> 
> Roel Jonkman
> Security Engineer
> http://www.SiliconDefense.com
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 




More information about the Snort-users mailing list