Snort mailing list archives

RE: ACID with 2 archive databases?

From: Michael <snorter () gmx net>
Date: Wed, 8 Jan 2003 12:38:48 +0100 (MET)


That's what I do at the moment. But it would be more practicable to have
only one ACID instance to work with 3 or more databases.
Perhaps this feature will be there in the next version of ACID.

Is it a great deal to insert this feature in ACID? Unfortunately I've no
practical knowledge with programming php.

Maybe Roman can answer this questions. ;-)

Best regards
Michael

Would it be feasible/practical to setup multiple web server instances 
for
ACID, each with its own config files to tell it which databases to use? 
 For
example:

Acid instance #1 would point to the main/live db that snort uses, and a
false-positives database.

Acid instance #2 would point to the main/live db that snort uses, and 
the
'to be further addressed' database.

And then possible a 3rd instance of Acid would have the 'to be further
addressed' database as its primary.

It would be a bit confusing to be sure.


-----Original Message-----
From: Matías Bevilacqua [mailto:matias () escert upc es] 
Sent: Tuesday, January 07, 2003 10:05 AM
To: 'Michael'; snort-users () sourceforge net
Subject: RE: [Snort-users] ACID with 2 archive databases?


Well the need is there for sure, being able to work with "n" databases 
is
for sure something nice to have. Not only for your needs but a typical
3-tire (n-tire) inspection of alerts is something nice to have in large
deployments. I'll be glad to hear of any developments in this area.

Matías Bevilacqua Trabado
esCERT-UPC
___________________________________________________________________
PGP-ID: 0x3FFD6E18 
PGP Fingerprint: 9FA3 06A1 3CAE 5996 1716  D9DF 3CE7 E88D 3FFD 6E18
___________________________________________________________________

"This e-mail may contain confidential and/or privileged information. If 
you
are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. 
Any
unauthorized copying, disclosure or distribution of the material in 
this
e-mail is strictly forbidden."

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael
Sent: martes, 07 de enero de 2003 15:31
To: snort-users () sourceforge net
Subject: [Snort-users] ACID with 2 archive databases?

Hi,

I'm using Snort 1.9.0 with ACID v0.9.6b22. I created an
archive database and use the ACID function to move the true 
alerts to the archive. 
All my charts an history comes from the archive database. The 
false positives stay in the snort database, because I don't 
want to delete them. Sometimes I'm not shure if an alert is a 
false positive and sometimes I need to check an old alert a 
second time. The problem is that we sometimes have more than 
one person working on the alerts in the snort database. And 
that is very difficult with thousands of old alerts in this 
database. Is it possible to use ACID with a second archive 
database (archive2) where we can move the false positives to? 
So that we've a snort database with only the new, 
unexamined alerts. We want to move the true alerts to the 
archive1 database and the false positives to the archive2 
databse. Has anyone done something like this or have a need 
for it too?

Any ideas?

Thanx for you help,
Michael

--
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something
2 See! http://www.vasoftware.com 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ACID with 2 archive databases? Michael (Jan 07)
- RE: ACID with 2 archive databases? Matías Bevilacqua (Jan 07)
- <Possible follow-ups>
- RE: ACID with 2 archive databases? Slighter, Tim (Jan 07)
- RE: ACID with 2 archive databases? Chris Eidem (Jan 07)
- RE: ACID with 2 archive databases? Michael (Jan 08)