[Snort-users] ACID with 2 archive databases?

Michael snorter at ...158...
Wed Jan 8 03:40:03 EST 2003


That's what I do at the moment. But it would be more practicable to have
only one ACID instance to work with 3 or more databases.
Perhaps this feature will be there in the next version of ACID.

Is it a great deal to insert this feature in ACID? Unfortunately I've no
practical knowledge with programming php.

Maybe Roman can answer this questions. ;-)

Best regards
Michael



> Would it be feasible/practical to setup multiple web server instances 
> for
> ACID, each with its own config files to tell it which databases to use? 
>  For
> example:
> 
> Acid instance #1 would point to the main/live db that snort uses, and a
> false-positives database.
> 
> Acid instance #2 would point to the main/live db that snort uses, and 
> the
> 'to be further addressed' database.
> 
> And then possible a 3rd instance of Acid would have the 'to be further
> addressed' database as its primary.
> 
> It would be a bit confusing to be sure.
> 
> 
> -----Original Message-----
> From: Matías Bevilacqua [mailto:matias at ...7932...] 
> Sent: Tuesday, January 07, 2003 10:05 AM
> To: 'Michael'; snort-users at ...382...
> Subject: RE: [Snort-users] ACID with 2 archive databases?
> 
> 
> Well the need is there for sure, being able to work with "n" databases 
> is
> for sure something nice to have. Not only for your needs but a typical
> 3-tire (n-tire) inspection of alerts is something nice to have in large
> deployments. I'll be glad to hear of any developments in this area.
> 
> Matías Bevilacqua Trabado
> esCERT-UPC
> ___________________________________________________________________
> PGP-ID: 0x3FFD6E18 
> PGP Fingerprint: 9FA3 06A1 3CAE 5996 1716  D9DF 3CE7 E88D 3FFD 6E18
> ___________________________________________________________________
> 
> "This e-mail may contain confidential and/or privileged information. If 
> you
> are not the intended recipient (or have received this e-mail in
> error) please notify the sender immediately and destroy this e-mail. 
> Any
> unauthorized copying, disclosure or distribution of the material in 
> this
> e-mail is strictly forbidden." 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Michael
> > Sent: martes, 07 de enero de 2003 15:31
> > To: snort-users at ...382...
> > Subject: [Snort-users] ACID with 2 archive databases?
> > 
> > 
> > Hi,
> > 
> > I'm using Snort 1.9.0 with ACID v0.9.6b22. I created an
> > archive database and use the ACID function to move the true 
> > alerts to the archive. 
> > All my charts an history comes from the archive database. The 
> > false positives stay in the snort database, because I don't 
> > want to delete them. Sometimes I'm not shure if an alert is a 
> > false positive and sometimes I need to check an old alert a 
> > second time. The problem is that we sometimes have more than 
> > one person working on the alerts in the snort database. And 
> > that is very difficult with thousands of old alerts in this 
> > database. Is it possible to use ACID with a second archive 
> > database (archive2) where we can move the false positives to? 
> > So that we've a snort database with only the new, 
> > unexamined alerts. We want to move the true alerts to the 
> > archive1 database and the false positives to the archive2 
> > databse. Has anyone done something like this or have a need 
> > for it too?
> > 
> > Any ideas?
> > 
> > Thanx for you help,
> > Michael
> > 
> > 
> > 
> > --
> > +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> > NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something
> > 2 See! http://www.vasoftware.com 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/s> nort-users
> > 
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!





More information about the Snort-users mailing list