[Snort-users] search by port in ACID
roman at ...438...
Sat Mar 9 13:09:20 EST 2002
You can indeed search by port. The only limitation is that searches are limited
to a single layer-4 protocol at a time (i.e. can't search UDP and TCP 137/139 at
the same time).
1. Click on "Search" from the Main screen
2. Click on the "TCP" or "UDP" button under IP criteria
3. Under "Port", choose: __ destination = 137 __ OR
4. click "ADD TCP/UDP port"
5. In the second "Port" row, choose: __ destination = 139 __ __
6. Click "Query DB"
On Fri, 08 Mar 2002 15:26:15 -0800, Roelof JT Jonkman <roel at ...47...>
> > Is there a way to specify a port when doing a search in ACID? I want to
search for all alerts going to destination ports 137 and 139 but the search page
does not seem to have an
> > option to search by port.
> Isn't quite straightforward, however, on the main screen, select 'source
> or 'destination ports', go to port 137 or 139, and click on the number
> that is under the column 'occurences'.
> That gives you a list of alerts for the chosen port. It quite what you're
> for, however it might do the job for you.
> Roel Jonkman
> Security Engineer
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users