[Snort-users] Tips for using ACID in a mult-admin environment?

Williams Jon WilliamsJonathan at ...2134...
Mon May 19 08:59:12 EDT 2003


I've been using snort/ACID for a couple of years now, and it's been working
fairly well for me, but my whinging to management has been successful, and
now I've got help.  While this is a good thing, it has introduced a new
wrinkle that I hadn't planned for: we are now tending to tromp on each
other's work while reviewing alerts in ACID.

Due to the number of alerts we get in a day (5000-6000/day typically,
although a single broken machine can generate 30k+ in a matter of minutes),
we tend to delete the alerts out of ACID but keep the tcpdump files
indefinately.  As I said before, this worked fine with one analyst, but now
that we've got more, we're running into the problem that one will delete the
alerts that the other is working on or we just fall back to a single analyst
reviewing alerts while the others do other stuff.

Has anyone come up with good practices/proceedures that they're willing to
share that have dealt with this problem?

Thanks.

Jon





More information about the Snort-users mailing list