Hello,

When the snort portscan preprocessor triggers it creates a log called
'portscan.log.' The contents of this log, which are the scanned hosts, are
ignored by ACID. I made the following changes to enable the user to view
this data:

at line 980 in acid_pkt_sqlcalls.php I made the following changes:

<original>
      else
            echo ' <A HREF="acid_app_faq.php#1">unknown</A>';
</original>

<changed>
      else {
         if( ereg("spp_portscan:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)", $myrow[2],$store)) {
            echo '<a href="acid_show_ps.php?ip='.$store[1].'">'.$store[1].'</a> ';
         }else {
            echo ' <A HREF="acid_app_faq.php#1">unknown</A>';
         }
     }
</changed>

If there alert is a portscan, it searches for the IP and places it in the
'Source Address' column.

I then created the file acid_show_ps.php which can be downloaded from:
http://www.packethack.com/snort/acid_show_ps.php
        
an example of the output can be seen at:
http://www.packethack.com/snort/output_example.html

acid_show_ps.php takes the contents of 'portscan.log' and puts it in table
format.

You can also download the source from:
http://www.packethack.com/snort/acid_show_ps.php

I through it together rather quickly so any improvments are welcome.

Blake Frantz

=================================================================
The Government, like diapers, should be replaced regularly, and
often for the same reasons.

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]