|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] ACID v0.9.6b24, spp_portscan2 and spp_portscan
From: Richard Pesce (RPesce
co.amador.ca.us)
Date: Tue Jan 13 2004 - 13:46:32 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It may be that the wildcards are causing high database utilization...
How many alerts do you have? (approx)
Were you experiencing the problem that I entended to "fix"?
>>> "Michael Scheidell" <scheidellblah.net> 01/13/04 11:28AM >>>
makes the startup screen take 10 times as long..
""Richard Pesce"" <RPesceco.amador.ca.us> wrote in message
news:<s003ccba.020co.amador.ca.us>...
> ACID v0.9.6b24 and snort 2.06 on red-hat 9 and NO patches :)
>
> spp_ portscan(2) was showing up in acid, however not within the
> acid_stat_common.php page. they were lumped under the TCP and UDP
bar's
> and stats. In order for "fix" this I made these changes:
>
> file:acid_common.php
> search for: (rawurlencode("spp_portscan")).
> replace with: (rawurlencode("%_portscan%")).
>
> file: acid_stat_common.php
> search for: "WHERE sig_name LIKE '%spp_portscan%'");
> replace with: "WHERE sig_name LIKE '%_portscan%'");
> search for: "WHERE signature LIKE 'spp_portscan%'");
> replace with: "WHERE signature LIKE '%_portscan%'");
>
> For some reason the spp_portscan(2) was showing up as
spp\_portscan(2)
> and thus breaking the acid portscan functionality.
>
> I hope this helps with all those notorious "Acid not displaying
> portscans" help requests.
>
> rpesceco.amador.ca.us
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System
offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]