[Snort-users] ACID - acknowledgement of events ?

Hicks, John JHicks at ...5857...
Wed Jul 17 09:02:06 EDT 2002

<!-- snip -->
Do you archive already seen interesting events and
perform correlations in archive ?
<!-- snip -->

Thats exactly how I manage mine. Investigate, Email (if required), move to
Archive for correlation.

This is an area where I would like to see alot of developemt happen. In
perticular, even though ACID has native support for an archive, there's no
real way to view it. I end up creating a copy of ACID in /acid/archive and
changing the default db to snort_archive. Better integration might also
provide a way to check if an IP causing an new alert is listed in the

some thoughts,

John Hicks

-----Original Message-----
From: Petr Ruzicka [mailto:petr_ruzicka at ...131...]
Sent: Monday, July 15, 2002 7:42 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] ACID - acknowledgement of events ?

Hi I use Snort + ACID for some time and I would like
to know how you deal with "acknowledged" events. 
Let's say I have couple of events that I have already
saw and I prefer not delete them for future
analysis/comparsion etc. But very soon I have a lot of
such events and I'm becoming lost.
Does ACID have something like "read/unread" events
Do you archive already seen interesting events and
perform correlations in archive ? 

Petr R.

Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes

This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list