Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ACID & $archive_dbname

From: roman () danyliw com
Date: Thu, 11 Oct 2001 13:36:57 US/Eastern
John,

If I am understanding you correctly, ACID is correctly archiving the
actual Snort alerts.  However, the various meta information generated by
snort is not being propagated to the archive database (e.g. AG
information, the event cache).

Am I correct in assuming you want this ACID meta-information to propagate
to archive database?  Copying over alert group information could be
possible, but moving over the event cache does not seem necessary.  By
definition the acid_event table is a cache; something to be flushed and
easily rebuilt as necessary.

Did I understand you correctly?
Roman


On 7 Oct 2001, John Ruff wrote:


Roman:

As you can see from the messages below using ACID to query the
archived_DB is a great idea.  However, the archive(move or copy)
functionality in ACID doesn't archive the related events from the
'active DBs' ACID tables to the 'archive DB'.

Would it be possible for the next release of ACID to to perform a check
on the 'archive DB' for the existance of ACID tables and if so extend
the archive(move or copy) function to include the events in the ACID
tables.  Or maybe even just a variable in the acid_conf.php that
determined whether the archive function would include the ACID tables.

Best Regards,
John Ruff


[...SNIP from snort-users...]

++++++++++++++++++++++++++++++++++++
I am currently using the dual directory to access my archived database.
However,
I've run into a little problem with regards to this setup.  Because the
alerts
are being logged into the 'active DB' only the ACID tables in the
'active DB' are being updated.  Then when you archive events to your
'archive DB' the entries in the 'active DBs' ACID tables are not 
archived(move or copy) as well.  Therefore when you go to display the
stats for your 'archive DB' via ACID the counts are not updated.  You
have to manually delete the ACID tables, then hit the
'acid_archive/index.html' page to have the tables recreated and the  
'archive DB' parsed again.  Then the counts are correct.

Does anyone have a solution that will allow the related ACID table
events to be archived to the 'archive DB' when doing a move or copy from
the 'active DB'?

+++++++++++++++++++++++++++++++++++++++




---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: