Snort mailing list archives
Re: ACID 0.9.6b14 questions
From: roman () danyliw com
Date: Mon, 17 Sep 2001 10:19:17 US/Eastern
On Mon, 17 Sep 2001, Poppi, Sandro wrote:
I'm having some probs regarding acid 0.9.6b14 in conjunction with snort 1.8.1 on a RedHat 7.0 box with mysql 3.23.32: 1. Using any of the new Snapshot entries Last Source Ports: any , TCP , UDP Last Destination Ports: any , TCP , UDP results in Database ERROR:You have an error in your SQL syntax near '' at line 1 All other functions I tested work (nearly) as expected (see 2.)
Update to the newly released v0.9.6b15. (Download from the mirror: http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html, since I am having issues connecting to sourceforge)
2. The search form and querying only for an ip address does not work for portscan alerts. If the given ip address is only logged for portscan alerts it can't be queried, if there are other alarms for the ip address they will be shown.
Your observation is correct. Portscan alerts cannot be queried by a IP criteria. These type of alerts can only be identified through a criteria of signature, time, classification, alert group, or sensor. This limitation is due to the current design of the portscan pre-processor. The database does not actually store any information about the occurance of a portscan, other than the fact that it occured; data such as the source IP address and the target ports are never stored. Hence, the IP address cannot be used as a search criteria for these alerts since they are never stored in the database. ACID appears to display a source IP address for portscan alerts, but this is merely text mangling of the signature name (i.e. this is not information taken from the database). Roman --------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID 0.9.6b14 questions Poppi, Sandro (Sep 17)
- <Possible follow-ups>
- Re: ACID 0.9.6b14 questions roman (Sep 17)