[Snort-users] Snort Enterprise Implementation
tschenz-snort-users at ...7018...
Mon Jan 13 06:59:02 EST 2003
> recorded for the fields TCP, UDP, ICMP of the Analysis Console for
> Intrusion Databases (ACID); however, the precent for Portscan Traffic
> remains at zero ACID.
You have to point ACID to your scan.log file in the config:
/* Snort spp_portscan log file */
$portscan_file = "";
The problem is, that the portscan data isn't normalized into the
database structure and remains in a plain file. I don't know if
IDScenter is syncing files between the IDS box and the ACID box. If not,
try to find a solution how to sync the portscan log onto the acid box
(rsync, scp, ftp, ...).
More information about the Snort-users