[Snort-users] Portscans in ACID

John Creegan jcreegan at ...9729...
Mon Sep 15 13:06:04 EDT 2003


I'm going to ask and answer a question here at the same time:

I've taken the step from the FAQ (6.16).  With ACID I see lots of
portscan event detail, so I'm sure the portscan data is going to the
database properly.  Why doesn't the portscan line on the ACID main page
show any activity when there are portscan alerts in the DB?

Looking at the acid_common.php page. the function
"PrintProtocolProfilGraphs" has a conditional test requiring that at
least one percent of all alert traffic be portscan activity before it
will show anything.  I agree that's a perfectly reasonable conditional
to have in place.  So I'm bettin' that though I have lots of portscan
activity, it represents less than one percent of the total alert
activity.

When I get the time, I'm going to look over the ACID pages for lots of
things... not the least of which is "Why does it take 434 seconds to get
a graph of alert data in a DB containing < 40,000 alerts when ACID,
apache, php and the DB are all on the localhost and there's barely a
discernable increase in the utilization of any system resource?"


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.





More information about the Snort-users mailing list