[Snort-users] Trimming/Archiving Snort Data from a MYSQL Db. (How do you do it?)

Bill Marquette wlmarque at ...8...
Mon Oct 30 09:12:40 EST 2000


Since I was probably the main person to have requested the AG feature I'll try
to explain how I saw them happening.

In any given set of alerts there will be some cruft that you want to weed out.
If you can create a search to select them you can easily delete them; this is
sitll a manual process allowing you to evaluate the alerts before doing a mass
delete on them.  However, there will always be a certain number of alerts you
want to keep indefinately (or until your predetermined archival date).  For
instance, I get a scan from 10.1.1.1 and want to archive all the notes on that
scan as one event instead of the 100 or so that snort puts them in.  I can
create a search using the really well built search feature Roman put into ACID
and select the relevant events and add them to an AG.

Hope that helps a bit.  I've been running 0.9.5b2 for some time now, I think
I'll have to check out 0.9.5b4 and see what's new in it :)

--Bill



From: "Frank Reid" <fcreid at ...691...> on 10/29/2000 07:56 AM

To:   "Ian Jones" <ian at ...686...>
cc:   snort-users at lists.sourceforge.net
Client:
Subject:  RE: [Snort-users] Trimming/Archiving Snort Data from a MYSQL Db. (How
      do you do it?)



Any HOWTO on using the new Alert Group feature in ACID?  From the context, I
assume one can now assign alerts into various groups (e.g. severe, minor,
etc.) to facilitate weeding through them.  I'm not sure if that's done in
the rules file or in the PHP script itself.  Guess I'll have to delve into
it and figure it out.

Frank

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ian Jones
Sent: Saturday, October 28, 2000 14:29
To: Bill Marquette; box.inter-tel.net
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Trimming/Archiving Snort Data from a MYSQL
Db. (How do you do it?)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The latest version of ACID does allow you to delete a found set of
alerts. I am using version acid-0.9.5b4 and it will trim alerts.

- From the ACID README:
>+ See http://www.cert.org/kb/acid for the most up to date
>+ information and documentation about this application.
>+
>+ Mirrored: http://www.andrew.cmu.edu/~rdanyliw/snort/
>+ (usually contains the latest beta code)

Acrhival would be nice. Even nicer would be the ability to export a
found set to a flat text file. Not complaining, though. It is great
in it's present state.

Ian Jones

- ----- Original Message -----
Subject: Re: [Snort-users] Trimming/Archiving Snort Data from a MYSQL
Db. (How do you do it?)
> The next release of ACID will have an option to remove database
> entries.  >

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOfsa1cAVSpfzXItKEQJw4wCfXWhqshBOZFkPegIDjfJRfrYT4tEAoPZL
4lSllgFlZ3w5KdtsXhvk2EzQ
=5JyZ
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users









More information about the Snort-users mailing list