[Snort-users] Snort Enterprise Implementation

Jens Krabbenhoeft tschenz-snort-users at ...7018...
Mon Jan 13 06:59:02 EST 2003


Greg,

> recorded for the fields TCP, UDP, ICMP  of the Analysis Console for
> Intrusion Databases (ACID); however, the precent for Portscan Traffic
> remains at zero ACID.

You have to point ACID to your scan.log file in the config:

/* Snort spp_portscan log file */
$portscan_file = "";

The problem is, that the portscan data isn't normalized into the
database structure and remains in a plain file. I don't know if
IDScenter is syncing files between the IDS box and the ACID box. If not,
try to find a solution how to sync the portscan log onto the acid box
(rsync, scp, ftp, ...).

HTH,
	Jens




More information about the Snort-users mailing list