Snort mailing list archives

ACID default sort order

From: John Sage <jsage () finchhaven com>
Date: Tue, 7 May 2002 11:55:16 -0700
I tried asking this a week ago and got no response, so, being a
glutton for punishment I'll ask again:

What is the default sort order for ACID when displaying the very
fundamental query: "Last 24 hours" "alerts" "listing"?

In other words, show me all alerts for the last 24 hours.

The sort order returned is not obvious, or rather there doesn't seem
to be any:


To: blahblahblah () foobar com
Subject: ACID Incident Report
From: ACID Alert <acid () foobar com>

Generated by ACID v0.9.6b21 on Tue May 07, 2002 10:47:09

#109-2| [2002-05-07 09:28:28] 12.243.218.140 -> 12.82.128.54  ICMP echo request

This (above) is out of order by time and by sensor-id

#109-8| [2002-05-07 10:19:41] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-7| [2002-05-07 10:19:41] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-6| [2002-05-07 10:19:39] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-5| [2002-05-07 10:19:10] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-4| [2002-05-07 10:19:07] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-3| [2002-05-07 10:19:04] 12.165.7.15:137 -> 12.82.128.54:137  UDP to 137 netBIOS ns
#109-1| [2002-05-07 09:11:33] 12.82.128.120:1065 -> 12.82.128.54:137  UDP to 137 netBIOS ns

#108-14| [2002-05-07 07:26:15] 199.84.183.4:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-13| [2002-05-07 07:26:14] 199.84.183.4:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-12| [2002-05-07 07:26:12] 199.84.183.4:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns

The above alerts are out-of-order relative to those above..

#108-7| [2002-05-07 04:19:09] 12.82.129.235:1028 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-6| [2002-05-07 04:07:07] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-5| [2002-05-07 04:07:06] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-4| [2002-05-07 04:07:04] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-3| [2002-05-07 04:06:43] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-2| [2002-05-07 04:06:42] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns
#108-1| [2002-05-07 04:06:40] 12.165.7.15:137 -> 12.82.129.79:137  UDP to 137 netBIOS ns

#108-11| [2002-05-07 05:26:55] 65.117.191.10:55742 -> 12.82.129.79:111  TCP to 111 sunrpc
#108-10| [2002-05-07 05:26:52] 65.117.191.10:55742 -> 12.82.129.79:111  TCP to 111 sunrpc

The above alerts are out-of-order..

#108-9| [2002-05-07 04:55:18] 148.235.14.185:32263 -> 12.82.129.79:80  TCP to 80 http
#108-8| [2002-05-07 04:55:12] 148.235.14.185:32263 -> 12.82.129.79:80  TCP to 80 http

The above alerts are out-of-order..

#107-3| [2002-05-06 22:07:37] 217.136.191.9 -> 12.82.131.37  ICMP echo request

#107-4| [2002-05-06 22:51:34] 131.183.60.105:4659 -> 12.82.131.37:1433  TCP to 1433 MS MySQL server

blah blah blah...

#107-2| [2002-05-06 16:44:24] 12.245.236.184:4630 -> 12.82.131.37:80  TCP to 80 http
#107-1| [2002-05-06 16:44:21] 12.245.236.184:4630 -> 12.82.131.37:80  TCP to 80 http

#106-1| [2002-05-06 11:29:25] 12.82.131.207:1238 -> 12.82.131.64:137  UDP to 137 netBIOS ns
#106-2| [2002-05-06 12:42:44] 166.114.114.2:3937 -> 12.82.131.64:53  TCP to 53 domain

and blah blah blah..



Is the sensor-id pair not a primary key, or in fact any key whatsoever?

Is the date-time not a primary key, or in fact any key whatsoever?

Again, at the risk of repetition, what should be the primary sort
order for this very fundamental query?


- John
-- 
In those days, you could not buy a $2000 200MHz Pentium server.

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

ACID default sort order John Sage (May 07)
- <Possible follow-ups>
- Re: ACID default sort order Vadim Pushkin (May 08)