[Snort-users] Portscan shows 100% traffic in ACID's main window

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C3D9EB.5DCF8950
Content-Type: text/plain;
charset="iso-8859-1"

Hi, all

I currently run snort 2.0.5, ACID, mysql and portscan log has been enabled
on Solaris 9 and they are installed on the same box. Through cron job, I do
backup mysql database on the night of Monday, Wednesday and Friday. I also
do portscan log rotate every night through stop and start snort.

If the box is fresh such as after reboot, I can see all in "Traffic Profile
by Protocol" such as TCP, UDP, ICMP and Portscan Traffic with their own
percentages of the total traffic that snort logged.

After several days or a week that Solaris stays up without rebooting while
the box goes through mysql database backup, portscan log rotate (otherwise
portscan log is so huge), I can only see portscan traffic (100%) at the
"Traffic Profile by Protocol" of the main page of ACID. The TCP, UDP and
ICMP traffic are all 0% like never happened. I did stop and start snort,
checked mysql database which has new records logged after the backup but no
help. The only way that I found to fix the problem is to reboot Solaris then
I can see TCP, UDP, ICMP and Traffic Profile by Protocol in the "Traffic
Profile by Protocol" of the main page of ACID.

Does anyone know why? Thanks in advance.

Ryan Jiang

------_=_NextPart_001_01C3D9EB.5DCF8950
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2654.45">
<TITLE>Portscan shows 100% traffic in ACID's main window</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Hi, all</FONT>
</P>

<P><FONT SIZE=3D2>I currently run snort 2.0.5, ACID, mysql and portscan =
log has been enabled on Solaris 9 and they are installed on the same =
box. Through cron job, I do backup mysql database on the night of =
Monday, Wednesday and Friday. I also do portscan log rotate every night =
through stop and start snort.</FONT></P>

<P><FONT SIZE=3D2>If the box is fresh such as after reboot, I can see =
all in &quot;Traffic Profile by Protocol&quot; such as TCP, UDP, ICMP =
and Portscan Traffic with their own percentages of the total traffic =
that snort logged.</FONT></P>

<P><FONT SIZE=3D2>After several days or a week that Solaris stays up =
without rebooting while the box goes through mysql database backup, =
portscan log rotate (otherwise portscan log is so huge), I can only see =
portscan traffic (100%) at the &quot;Traffic Profile by Protocol&quot; =
of the main page of ACID. The TCP, UDP and ICMP traffic are all 0% like =
never happened. I did stop and start snort, checked mysql database =
which has new records logged after the backup but no help. The only way =
that I found to fix the problem is to reboot Solaris then I can see =
TCP, UDP, ICMP and Traffic Profile by Protocol in the &quot;Traffic =
Profile by Protocol&quot; of the main page of ACID. </FONT></P>

<P><FONT SIZE=3D2>Does anyone know why? Thanks in advance.</FONT>
</P>

<P><FONT SIZE=3D2>Ryan Jiang</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C3D9EB.5DCF8950--


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users