[Snort-users] snort and ACID

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Mon Jan 29 23:21:19 EST 2001

Just a warning.  You may want to set up replication on the database as the
sensors will hang while you run queries on the database.  According to the
developers they are working on fixing this in a future version of snort
(hopefully in 2.x).  I'm trying to find a way to do two way replication so I
can use ACID to maintain the database.

> I am setting up several snort sensors reporting to an
> ACID console. These will be monitored 24/7
> In order to reduce the number of callouts (I already
> have the sensor noise down as far as I want to go),I 
> need to implement some intelligence on the ACID 
> console that will do the following:
> - classify the event (high or low)
> - be triggered (somehow) by event update.
> - at predefined times analyse the received events and
>   do some pattern matching and produce a report.
> Before I jump into this, has anyone done something like
> this already?
> My ACID console is using mysql (because I've used it b4 
> and it's free), but from reading the latest notes on it, 
> it doesn't support triggers or stored procedures, so I guess
> I might have to go for some other D/B (anything but Oracle!).
> Another requirement I have, is due to the possible number of
> sensors (might be up to 36 across New Zealand), the management
> of the snort policy (rules file), will need tailoring and 
> dispensing from a single point (hey why not use the ACID console?)
> Has anyone been down this track of automating policy versions
> across multiple sensors?

More information about the Snort-users mailing list