[Snort-users] ACID default sort order

John Sage jsage at ...2022...
Tue May 7 11:56:02 EDT 2002


I tried asking this a week ago and got no response, so, being a
glutton for punishment I'll ask again:

What is the default sort order for ACID when displaying the very
fundamental query: "Last 24 hours" "alerts" "listing"?

In other words, show me all alerts for the last 24 hours.

The sort order returned is not obvious, or rather there doesn't seem
to be any:


To: blahblahblah at ...5802...
Subject: ACID Incident Report
From: ACID Alert <acid at ...5802...>

Generated by ACID v0.9.6b21 on Tue May 07, 2002 10:47:09

#109-2| [2002-05-07 09:28:28] 12.243.218.140 -> 12.82.128.54  ICMP echo request

This (above) is out of order by time and by sensor-id

#109-8| [2002-05-07 10:19:41] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-7| [2002-05-07 10:19:41] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-6| [2002-05-07 10:19:39] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-5| [2002-05-07 10:19:10] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-4| [2002-05-07 10:19:07] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-3| [2002-05-07 10:19:04] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-1| [2002-05-07 09:11:33] 12.82.128.120:1065 -> 12.82.128.54:137  UDP to 137 netBIOS ns

#108-14| [2002-05-07 07:26:15] 199.84.183.4:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-13| [2002-05-07 07:26:14] 199.84.183.4:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-12| [2002-05-07 07:26:12] 199.84.183.4:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns

The above alerts are out-of-order relative to those above..

#108-7| [2002-05-07 04:19:09] 12.82.129.235:1028 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-6| [2002-05-07 04:07:07] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-5| [2002-05-07 04:07:06] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-4| [2002-05-07 04:07:04] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-3| [2002-05-07 04:06:43] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-2| [2002-05-07 04:06:42] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-1| [2002-05-07 04:06:40] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns

#108-11| [2002-05-07 05:26:55] 65.117.191.10:55742 -> 12.82.129.79:111  TCP to 111 sunrpc
#108-10| [2002-05-07 05:26:52] 65.117.191.10:55742 -> 12.82.129.79:111  TCP to 111 sunrpc

The above alerts are out-of-order..

#108-9| [2002-05-07 04:55:18] 148.235.14.185:32263 -> 12.82.129.79:80  TCP to 80 http
#108-8| [2002-05-07 04:55:12] 148.235.14.185:32263 -> 12.82.129.79:80  TCP to 80 http

The above alerts are out-of-order..

#107-3| [2002-05-06 22:07:37] 217.136.191.9 -> 12.82.131.37  ICMP echo request

#107-4| [2002-05-06 22:51:34] 131.183.60.105:4659 -> 12.82.131.37:1433  TCP to 1433 MS MySQL server

blah blah blah...

#107-2| [2002-05-06 16:44:24] 12.245.236.184:4630 -> 12.82.131.37:80  TCP to 80 http
#107-1| [2002-05-06 16:44:21] 12.245.236.184:4630 -> 12.82.131.37:80  TCP to 80 http

#106-1| [2002-05-06 11:29:25] 12.82.131.207:1238 -> 12.82.131.64:137  UDP to 137 netBIOS ns
#106-2| [2002-05-06 12:42:44] 166.114.114.2:3937 -> 12.82.131.64:53  TCP to 53 domain

and blah blah blah..



Is the sensor-id pair not a primary key, or in fact any key whatsoever?

Is the date-time not a primary key, or in fact any key whatsoever?

Again, at the risk of repetition, what should be the primary sort
order for this very fundamental query?


- John
-- 
In those days, you could not buy a $2000 200MHz Pentium server.

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the Snort-users mailing list