[Snort-users] Re: ACID & $archive_dbname

roman at ...438... roman at ...438...
Thu Oct 11 10:37:14 EDT 2001


If I am understanding you correctly, ACID is correctly archiving the
actual Snort alerts.  However, the various meta information generated by
snort is not being propagated to the archive database (e.g. AG
information, the event cache).

Am I correct in assuming you want this ACID meta-information to propagate
to archive database?  Copying over alert group information could be
possible, but moving over the event cache does not seem necessary.  By
definition the acid_event table is a cache; something to be flushed and
easily rebuilt as necessary.

Did I understand you correctly?

On 7 Oct 2001, John Ruff wrote:

> Roman:
> As you can see from the messages below using ACID to query the
> archived_DB is a great idea.  However, the archive(move or copy)
> functionality in ACID doesn't archive the related events from the
> 'active DBs' ACID tables to the 'archive DB'.
> Would it be possible for the next release of ACID to to perform a check
> on the 'archive DB' for the existance of ACID tables and if so extend
> the archive(move or copy) function to include the events in the ACID
> tables.  Or maybe even just a variable in the acid_conf.php that
> determined whether the archive function would include the ACID tables.
> Best Regards,
> John Ruff
> [...SNIP from snort-users...]
> ++++++++++++++++++++++++++++++++++++
> I am currently using the dual directory to access my archived database.
> However,
> I've run into a little problem with regards to this setup.  Because the
> alerts
> are being logged into the 'active DB' only the ACID tables in the
> 'active DB' are being updated.  Then when you archive events to your
> 'archive DB' the entries in the 'active DBs' ACID tables are not 
> archived(move or copy) as well.  Therefore when you go to display the
> stats for your 'archive DB' via ACID the counts are not updated.  You
> have to manually delete the ACID tables, then hit the
> 'acid_archive/index.html' page to have the tables recreated and the  
> 'archive DB' parsed again.  Then the counts are correct.
> Does anyone have a solution that will allow the related ACID table
> events to be archived to the 'archive DB' when doing a move or copy from
> the 'active DB'?
> +++++++++++++++++++++++++++++++++++++++

This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list