Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: snort and acid - Traffic Profile by Protocol doesnt update correctly

From: "John Oost" <johnoost () hotmail com>
Date: Sat, 11 Sep 2004 10:46:45 +0000
Thanks for the reply. If that's the case then it doenst work. The output from snort -v doesnt match the traffic bars in Acid. It seems it just doesn't update the traffic stats correctly. I already tried disabling the caching of IE but that didnt work either. Any ideas? 



From: "Harper, Patrick" <patrick.harper () phns com>
To: "John Oost" <johnoost () hotmail com>,<snort-users () lists sourceforge net>
Subject: RE: [Snort-users] snort and acid - Traffic Profile by Protocol doesnt update correctly 
Date: Sat, 11 Sep 2004 05:26:39 -0500
MIME-Version: 1.0
Received: from mc12-f10.hotmail.com ([65.54.167.146]) by mc12-s16.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sat, 11 Sep 2004 03:40:04 -0700 Received: from sc8-sf-list1.sourceforge.net ([66.35.250.206]) by mc12-f10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sat, 11 Sep 2004 03:40:03 -0700 Received: from localhost ([127.0.0.1] helo=projects.sourceforge.net)by sc8-sf-list1.sourceforge.net with esmtp (Exim 4.30)id 1C656N-00025m-Un; Sat, 11 Sep 2004 03:27:27 -0700 Received: from sc8-sf-mx1-b.sourceforge.net ([10.3.1.11] helo=sc8-sf-mx1.sourceforge.net)by sc8-sf-list1.sourceforge.net with esmtp (Exim 4.30)id 1C655p-00022s-EHfor snort-users () lists sourceforge net; Sat, 11 Sep 2004 03:26:53 -0700 Received: from mailhost.phns.com ([65.218.77.18] helo=phnsdalnt21.corp.phns.com)by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.34)id 1C655p-0000Ei-08for snort-users () lists sourceforge net; Sat, 11 Sep 2004 03:26:53 -0700 Received: from Unknown [192.168.1.96] by phnsdalnt21.corp.phns.com - SurfControl E-mail Filter (4.7); Sat, 11 Sep 2004 05:26:44 -0500 
X-Message-Info: KtxBqYfPyq2vEZZfTqSbyKtN+MV9IXcK
Message-ID: <14A490F0F982C641B8676869ADE5E5A5021A0269 () phnsdalnt09 corp phns com> 
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
X-MS-Has-Attach: X-MS-TNEF-Correlator: X-SEF-EF86D4DA-F5EF-48AC-BAE7-6AAA48BBD740: 1 
content-class: urn:content-classes:message
Thread-Topic: [Snort-users] snort and acid - Traffic Profile by Protocol doesnt update correctly 
Thread-Index: AcSX0wnVVQXTIBmuTYqLhd4OICPK5gAFlsEg
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam Filtering performed by sourceforge.net.See http://spamassassin.org/tag/ for more details.Report problems to http://sf.net/tracker/?func=add&group_id=1&atid=2000010.0 SF_CHICKENPOX_SLASH BODY: Text interparsed with /0.0 SF_CHICKENPOX_MINUS BODY: Text interparsed with -0.0 SF_CHICKENPOX_COLON BODY: Text interparsed with :0.0 SF_CHICKENPOX_AT BODY: Text interparsed with @0.0 SF_CHICKENPOX_APOSTROPHE BODY: Text interparsed with '0.0 SF_CHICKENPOX_PARATHESES_OPEN BODY: Text interparsed with (0.0 SF_CHICKENPOX_PERIOD BODY: Text interparsed with .0.2 EXCUSE_16 BODY: I wonder how many emails they sent in error0.0 SF_CHICKENPOX_UNDERSCORE BODY: Text interparsed with _0.0 SF_CHICKENPOX_EQUAL BODY: Text interparsed with = 
Errors-To: snort-users-admin () lists sourceforge net
X-BeenThere: snort-users () lists sourceforge net
X-Mailman-Version: 2.0.9-sf.net
Precedence: bulk
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net> 
List-Post: <mailto:snort-users () lists sourceforge net>
List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=snort-users> 
X-Original-Date: Sat, 11 Sep 2004 05:26:39 -0500
Return-Path: snort-users-admin () lists sourceforge net
X-OriginalArrivalTime: 11 Sep 2004 10:40:03.0674 (UTC) FILETIME=[B23E1BA0:01C497EB] 

That is just the traffic that snort saw.  If it matches any rule it gets
put in the alert file and sent to whatever your output option is set
for, in your case the mysql database.  If you ant to make sure your
getting alerts scan it with one of the scanners I have listed at the
bottom of that paper.


-----Original Message-----
From: John Oost [mailto:johnoost () hotmail com]
Sent: Saturday, September 11, 2004 2:31 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort and acid - Traffic Profile by Protocol
doesnt update correctly

Hi All,

I just installed snort and acid for the first time and quickly read
through the manuals. I installed snort and Acid on Redhat 9 using
Patrick Harper's installation guide. Everything seems to work fine
except for the "Traffic Profile by Protocol" display of acid. This
display just doesnt seem to update every time. When I run snort -v and
press ctrl-c after a while it tells me that 99% of the traffic was tcp.
The display in Acid displays 79% udp and 3% tcp. Is this display
supposed to show the traffic that snort has "sniffed" or the traffic
that was identified as "bad" ? If it's the first, is this a known error?

Best regards,

_________________________________________________________________
Hotmail en Messenger on the move
http://www.msn.nl/communicatie/smsdiensten/hotmailsmsv2/



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. 





-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
Hotmail en Messenger on the move http://www.msn.nl/communicatie/smsdiensten/hotmailsmsv2/ 



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: