[Snort-users] ACID gives erroneous information

Erwin Van de Velde erwin.vandevelde at ...10361...
Sun Feb 29 03:26:00 EST 2004


I'm using ACID to see the Snort output, but when checking with the raw data, I 
see some mysterious results:
In my event table, I see 80 events (it's just a recently reseted test 
environment :-) ), but acid_alert only contains 38 records!
All other data (number of destination IP's and so on that ACID gives are wrong 
to (logic, as ACID hasn't used all the records it should use...)
What goes wrong? Or is there a way to interpret the events that I'm unaware 
of? (i.e. are not all different records, different alerts?) This still leaves 
me with the question why there are more IP destinations found when I join 
event on iphdr (on sid and cid), as distinct ip addresses clearly belong to 
different event recordings...

Erwin Van de Velde
Student of University of Antwerp

More information about the Snort-users mailing list