[Snort-devel] ACID archive problem: "Ignored XXX Duplicate Ev ents" on archive

Cloppert, Michael Michael.Cloppert at ...1554...
Fri Aug 30 05:36:05 EDT 2002


> > Background:
> > I'm not sure if this is the correct forum for this sort of 
> thing, but I've
> > tried the snort-users list and gotten virtually no 
> feedback.  This is a VERY
> > big problem given the way our company has decided our IDS 
> deployment is
> > going to work, so I am in dire need of some help before 
> management decides
> > it's not worth the problems and ditches our Snort pilot project.
> 
> I don't know anything at all about ACID.  That said, can you tell us
> something about how your company decided your IDS deployment is going
> to work?
> 
> Just curious over what your goals are.

I was referring to our approach to the analysis of snort events more than
our deployment as a whole - that I didn't make very clear.  After snort
captures events and puts them into my "snort" MySQL database, the events
will be analyzed by myself or my teammates a number of times a day.  At this
point we delete any events determined to be false positives, any that appear
to be serious we'd take immediate action on.  All non-false-positives are
put into our "snort_archive" database for long-term trending and analysis.
This database is configured identically to the "snort" database.  This way,
when we pull up ACID for our "snort" database (I'll presume that you do know
what ACID is), the only events we see are *new* events.  This is important
so that when we leave for the day, the guys in network control who keep an
eye on the IDS over nights and weekends aren't confused by old events we've
already analyzed (they page us if certain criteria are met, at which point
we investigate).

That being said, it's important for us to be able to move these events into
our archive database for the whole process to work smoothly.

Mike




More information about the Snort-devel mailing list