[Snort-users] clarification on ACID alert deleting/archiving and alert groups

Roman Danyliw roman at ...438...
Mon Oct 30 11:08:22 EST 2000


Other AirCERT issues has kept me rather busy so sorry about this
un-timely reply.

I have just drafted some documentation describing the current ACID
functionality:

http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html

It should address questions surrounding Alert Groups and Alert
deleting.  However, to answer your question quickly Frank, there is no
support for priorities in ACID, since the underlying database does not 
since Snort doesn't support priorities.  Alert groups are used to
logically group alerts _manually_.  However, check out the FAQ on
strategies to hack some priorities on top of the alerts and how to use the
alert deletion facilities.

It would appear that there is some community desire for the
ability to archive and export from ACID so I will look into these issues.

I highly recommend that everyone upgrades to ACID version 0.9.5b6 in order
to fix some minor bugs and features I added along the way.

Roman




On Sun, 29 Oct 2000, Frank Reid wrote:

> Any HOWTO on using the new Alert Group feature in ACID?  From the
context, I
> assume one can now assign alerts into various groups (e.g. severe,
minor,
> etc.) to facilitate weeding through them.  I'm not sure if that's done
in
> the rules file or in the PHP script itself.  Guess I'll have to delve
into
> it and figure it out.
>
> Frank
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ian Jones
> Sent: Saturday, October 28, 2000 14:29
> To: Bill Marquette; box.inter-tel.net
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Trimming/Archiving Snort Data from a MYSQL
> Db. (How do you do it?)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The latest version of ACID does allow you to delete a found set of
> alerts. I am using version acid-0.9.5b4 and it will trim alerts.
> 
> - From the ACID README:
> >+ See http://www.cert.org/kb/acid for the most up to date
> >+ information and documentation about this application.
> >+
> >+ Mirrored: http://www.andrew.cmu.edu/~rdanyliw/snort/
> >+ (usually contains the latest beta code)   
> 
> Acrhival would be nice. Even nicer would be the ability to export a
> found set to a flat text file. Not complaining, though. It is great
> in it's present state.
> 
> Ian Jones
>
> - ----- Original Message -----
> Subject: Re: [Snort-users] Trimming/Archiving Snort Data from a MYSQL
> Db. (How do you do it?)
> > The next release of ACID will have an option to remove database
> > entries.  >
> 
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
> Comment: Making the world safe for geeks.
> 
> iQA/AwUBOfsa1cAVSpfzXItKEQJw4wCfXWhqshBOZFkPegIDjfJRfrYT4tEAoPZL
> 4lSllgFlZ3w5KdtsXhvk2EzQ
> =5JyZ
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
>
> 
> _______________________________________________ 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 





More information about the Snort-users mailing list