[Snort-users] ACID tables populated, charts seem OK, but some query results empty

subs subs at ...13742...
Thu Mar 30 07:43:10 EST 2006


Bruce (and others),

Thanks for the heads-up - I've also now been informed off-list of ACID's
demise.

If I'd realised it was dead I'd have gone straight for BASE - which I will
now.

Mind you, this on ACID's homepage:
"It should be noted that ACID is the result of ongoing work at the CERT
Coordination Center for the AIRCERT project"

...doesn't help much.

I've mailed the maintainer and requested a note be put on the ACID homepage.

Best wishes,
S

-----Original Message-----
From: Briggs, Bruce [mailto:Bruce.Briggs at ...13183...] 
Sent: 30 March 2006 17:23
To: subs; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] ACID tables populated, charts seem OK, but some
query results empty


Why not use BASE?
ACID is a dead product.
BASE is an improved and maintained fork from ACID.
http://secureideas.sourceforge.net/

Bruce 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of subs
Sent: Thursday, March 30, 2006 8:28 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] ACID tables populated, charts seem OK, but some query
results empty

Snort and ACID up for 12 hours, now - my acid_main.php shows:

Sensors: 1
Unique Alerts: 7    (   5 categories   )
Total Number of Alerts: 233
    * Source IP addresses: 41
    * Dest. IP addresses: 14
    * Unique IP links 75
    * Source Ports: 38
          o TCP ( 2)  UDP ( 36)
    * Dest. Ports: 3
          o TCP ( 1)  UDP ( 2)

... with appropriate histograms for Traffic Profile by Protocol.

I can successfully chart Time vs. number of Alerts, and I see data in the
acid tables.

PROBLEM: Some standard queries from acid_main.php give me empty results
Sensors				OK
Unique alerts			empty
Categories				OK
Total Number of Alerts		empty
Source IP addresses		OK
Dest. IP addresses		OK
Unique IP links			OK
All source/dest ports queries	OK

Snapshot queries:
Most recent Alerts (all)		empty (gives count of 15, for
all)
Today's: alerts unique, listing	empty (with counts)
Today's: alerts unique, src, dts	OK

Etc...

It appears that results are only shown where IPs are looked up - what could
be the problem?

Sorry if this is a FAQ (I have searched).

Any help appreciated.
S



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list