Snort mailing list archives
Tips for using ACID in a mult-admin environment?
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Mon, 19 May 2003 10:58:50 -0500
I've been using snort/ACID for a couple of years now, and it's been working fairly well for me, but my whinging to management has been successful, and now I've got help. While this is a good thing, it has introduced a new wrinkle that I hadn't planned for: we are now tending to tromp on each other's work while reviewing alerts in ACID. Due to the number of alerts we get in a day (5000-6000/day typically, although a single broken machine can generate 30k+ in a matter of minutes), we tend to delete the alerts out of ACID but keep the tcpdump files indefinately. As I said before, this worked fine with one analyst, but now that we've got more, we're running into the problem that one will delete the alerts that the other is working on or we just fall back to a single analyst reviewing alerts while the others do other stuff. Has anyone come up with good practices/proceedures that they're willing to share that have dealt with this problem? Thanks. Jon ------------------------------------------------------- This SF.net email is sponsored by: If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tips for using ACID in a mult-admin environment? Williams Jon (May 19)
- Re: Tips for using ACID in a mult-admin environment? Anthony Kim (May 30)