[Snort-users] ACID with 2 archive databases?

Michael snorter at ...158...
Tue Jan 7 06:31:10 EST 2003


Hi,

I'm using Snort 1.9.0 with ACID v0.9.6b22. I created an archive database and
use the ACID function to move the true alerts to the archive. 
All my charts an history comes from the archive database. The false
positives
stay in the snort database, because I don't want to delete them. Sometimes
I'm
not shure if an alert is a false positive and sometimes I need to check an
old alert
a second time.
The problem is that we sometimes have more than one person working on the
alerts
in the snort database. And that is very difficult with thousands of old
alerts in this
database.
Is it possible to use ACID with a second archive database (archive2) where
we can
move the false positives to? So that we've a snort database with only the
new, 
unexamined alerts. We want to move the true alerts to the archive1 database
and
the false positives to the archive2 databse.
Has anyone done something like this or have a need for it too?

Any ideas?

Thanx for you help,
Michael



-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!





More information about the Snort-users mailing list