[Snort-users] ACID with 2 archive databases?

Matías Bevilacqua matias at ...7932...
Tue Jan 7 07:06:06 EST 2003


Well the need is there for sure, being able to work with "n" databases
is for sure something nice to have.
Not only for your needs but a typical 3-tire (n-tire) inspection of
alerts is something nice to have in large deployments.
I'll be glad to hear of any developments in this area.

Matías Bevilacqua Trabado
esCERT-UPC
___________________________________________________________________
PGP-ID: 0x3FFD6E18 
PGP Fingerprint: 9FA3 06A1 3CAE 5996 1716  D9DF 3CE7 E88D 3FFD 6E18
___________________________________________________________________

"This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden." 

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Michael
> Sent: martes, 07 de enero de 2003 15:31
> To: snort-users at ...382...
> Subject: [Snort-users] ACID with 2 archive databases?
> 
> 
> Hi,
> 
> I'm using Snort 1.9.0 with ACID v0.9.6b22. I created an 
> archive database and use the ACID function to move the true 
> alerts to the archive. 
> All my charts an history comes from the archive database. The 
> false positives stay in the snort database, because I don't 
> want to delete them. Sometimes I'm not shure if an alert is a 
> false positive and sometimes I need to check an old alert a 
> second time. The problem is that we sometimes have more than 
> one person working on the alerts in the snort database. And 
> that is very difficult with thousands of old alerts in this 
> database. Is it possible to use ACID with a second archive 
> database (archive2) where we can move the false positives to? 
> So that we've a snort database with only the new, 
> unexamined alerts. We want to move the true alerts to the 
> archive1 database and the false positives to the archive2 
> databse. Has anyone done something like this or have a need 
> for it too?
> 
> Any ideas?
> 
> Thanx for you help,
> Michael
> 
> 
> 
> -- 
> +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 
> 2 See! http://www.vasoftware.com 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list