There is no explicit way identify and delete alerts with an
"UNKNOWN IP field". Their very existance is an aberation from
the database logging perspective; they represent incomplete alerts.

From the Unique Alert listings (acid_stat_alerts.php), you can
easily see these alerts since they will have a 0 for both unique
source and destination. Likewise, you can further confirm these alerts
by looking at the alert name (e.g. Mini-Frag) since all those
alerts which generate "Unknown IP fields" are well known.
Select the appropriate alerts and delete them by using the
pre-defined "actions" at the bottom of the screen. (Note:
deleting from this screen will require ACID 0.9.6b5+).

cheers,
Roman

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have a large number of alerts in ACID with an IP address of
> UNKNOWN. I understand that these are generated from the
> preprocessors (port scan, frag detect, etc.) but I can not figure out
> how to delete these alerts. Any ideas how to search/delete records
> with an UNKNOWN IP field?
>
> Thanks in advance,
> Jim Webster
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.3
>
> iQA/AwUBOqVw4XqoKdiuIf91EQL4rQCdHGq0TxrvMj5tmIdHBce4H4y3BK8AnAnB
> 8kZBXHUD0VVFyB5jRQnGrSJi
> =aagu
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>

---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]