[Snort-users] ACID with 2 archive databases?
ceidem at ...5503...
Tue Jan 7 07:48:02 EST 2003
> Is it possible to use ACID with a second archive database
> (archive2) where
> we can
> move the false positives to? So that we've a snort database
> with only the
> unexamined alerts. We want to move the true alerts to the
> archive1 database
> the false positives to the archive2 databse.
> Has anyone done something like this or have a need for it too?
> Any ideas?
generally, i like to rotate my ACID database monthly, so i just muck
around with the acid_conf.php file in the acid directory of my
webserver. if you have a working acid setup, just copy it to a
different directory (e.g., /var/www/htdocs/acid2) and modify the
acid_conf.php file to point to the database you have set up there:
$alert_dbname = "nov02_snort";
$alert_dbname = "snort";
and then access <your ACID server>/acid2
probably more mucking around that is necessary, but it works for me.
More information about the Snort-users