[Snort-users] Am I in the right place? (was: Tips for using ACID in a multi-adm in environment)

Williams Jon WilliamsJonathan at ...2134...
Thu May 29 12:04:05 EDT 2003

I apologize if this seems a bit troll-like, I don't intend it to be.  I
posted this message a couple of weeks ago and got zero responses.  A few
days later, someone else asked about Fortune 500 users and I saw, I think,
one response.  While I read this list a lot, I'm starting to wonder if I'm
asking questions in the right place.

I've been using snort for a while now, something like 2-3 years, and am
monitoring a moderate amount of traffic (i.e. the busiest box is watching
between 50-60 mbps sustained during business hours, and I've got several
scattered across multiple timezones).  I believe, rightly or wrongly, that
I've gone through the same phases that I see a lot of people go through on
this list (how do I build it, why doesn't it run, why do I get so many
alerts for stuff I don't care about, how do I write a custom rule) and am
now starting to ask other questions, like the one below.  Since I don't get
any response, I'm not sure if a) people are too concerned about their
corporate security to share, b) are willing to share but are no longer on
this particularl list, c) are willing to answer, but my situation is unique,
or d) there's no answer to my problems.

So, is there a better list for advanced snort issues and/or enterprise snort
deployment questions?  If not, are there people on this list who've gone
through these issues and don't want to discuss them in a public forum?  As I
said, I'm not trying to be a rabble-rouser, it's just that the great support
from the mailing list was one of the selling points when I convinced
management to go Open Source, so it's a bit confusing/embarassing when I
send out questions that get no response at all.



-----Original Message-----
From: Williams Jon 
Sent: Monday, May 19, 2003 10:59 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Tips for using ACID in a mult-admin environment?

I've been using snort/ACID for a couple of years now, and it's been working
fairly well for me, but my whinging to management has been successful, and
now I've got help.  While this is a good thing, it has introduced a new
wrinkle that I hadn't planned for: we are now tending to tromp on each
other's work while reviewing alerts in ACID.

Due to the number of alerts we get in a day (5000-6000/day typically,
although a single broken machine can generate 30k+ in a matter of minutes),
we tend to delete the alerts out of ACID but keep the tcpdump files
indefinately.  As I said before, this worked fine with one analyst, but now
that we've got more, we're running into the problem that one will delete the
alerts that the other is working on or we just fall back to a single analyst
reviewing alerts while the others do other stuff.

Has anyone come up with good practices/proceedures that they're willing to
share that have dealt with this problem?



This SF.net email is sponsored by: If flattening out C++ or Java
code to make your application fit in a relational database is painful, 
don't do it! Check out ObjectStore. Now part of Progress Software.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list