Erik,

[snip]

> On the main screen, click on the percentage of total traffic link for
> portscans. After the first page of portscan data is displayed, click on the
> "Unique addresses: source" link in the "Summary Statistics" box. Although
> all my portscans are identified with source IP addresses, clicking on this
> link shows that all addresses are unknown. I would have expected a summary
> breakdown of all the unique IP addresses that portscanned me.

This is not a bug. The IP addresses associated with portscans are not
actually stored in the database. The fact that you see source addresses
in the alert listing page is misleading, since this is achieved with "text
mangling" of the signature. If you have a copy of the portscan.log, you
can set it in $portscan_file of acid_conf.php and view what portscans a
particular IP generated. However, getting a list of unique address which
generated portscans is currently not possible.

> The second bug relates to a link that points to the ports database:

[snip]

> payload. In the TCP section, click on either the source or destination port
> link. These currently point to http://www.snort.org whereas I believe they
> should be pointing to http://www.portsdb.org/. The $external_port_link
> variable defined in my acid_conf.php file is set to

This was fixed in CVS earlier this week.

Roman

---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]