[Snort-users] ACID with 2 archive databases?

Chris Eidem ceidem at ...5503...
Tue Jan 7 07:48:02 EST 2003


> Is it possible to use ACID with a second archive database 
> (archive2) where
> we can
> move the false positives to? So that we've a snort database 
> with only the
> new, 
> unexamined alerts. We want to move the true alerts to the 
> archive1 database
> and
> the false positives to the archive2 databse.
> Has anyone done something like this or have a need for it too?
> 
> Any ideas?
> 

generally, i like to rotate my ACID database monthly, so i just muck
around with the acid_conf.php file in the acid directory of my
webserver.  if you have a working acid setup, just copy it to a
different directory (e.g., /var/www/htdocs/acid2) and modify the
acid_conf.php file to point to the database you have set up there:

$alert_dbname   = "nov02_snort";

instead of 

$alert_dbname   = "snort";

and then access <your ACID server>/acid2

probably more mucking around that is necessary, but it works for me.

 - chris




More information about the Snort-users mailing list