Snort mailing list archives
RE: Confirmation For Alerts In ACID Needed
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Fri, 22 Nov 2002 00:02:38 -0500
I've always considered ACID to be an excellent analysis tool, and have left the followup event audit trail stuff to a trouble ticket system. I've used a package called DCL (http://dcl.sourceforge.net/who.php) to capture all the activity and resolutions associated with an event. It's trouble ticket system, with an email interface that's easy to script a connection to Snort through Swatch, or with something like procmail to the email interface in ACID. Problem management people see a list of open problems, accept responsibility for them, and log any followup activity. Finally, they close the problem providing some kind of resolution. The audit trail is kept in DCL. -----Original Message----- From: Joseph Gresham To: Ibarra, Michael Cc: 'Joel Colvin'; snort-users () lists sourceforge net Sent: 11/21/02 6:23 PM Subject: Re: [Snort-users] Confirmation For Alerts In ACID Needed Do you need to run 2 instances of acid for this setup to work? ie: "So for me, anything that still needs looking at is in the main database but all history and charts, etc. comes from the archive database." If that is not te case what configuration changes are neccessary for this to work? I guess I could look at the scripts myself, but if you already know I would appreciate the advice. -- Joseph J. Gresham Jr. Systems Integration Consultant/Network Engineer Onshore Inc. 312-850-5200 x.138 Ibarra, Michael wrote:
Yeah, I do this also, but it doesn't address the need to have notes, as you've mentioned, as well as the need to see who, if anyone else, is already working on the given alert. Anybody? -mike -----Original Message----- From: Joel Colvin [mailto:joelc () ctchouston com] Sent: Wednesday, November 20, 2002 5:34 PM To: 'Ibarra, Michael'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Confirmation For Alerts In ACID Needed What I do is create an archive database and then use the ACID function to move items to the archive. So for me, anything that still needs looking at is in the main database but all history and charts, etc. comes from the archive database. It would be nice to have notes in the database though... Joel -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ibarra, Michael Sent: Wednesday, November 20, 2002 4:00 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Confirmation For Alerts In ACID Needed Greetings All: I currently have a sitauation whereby I have a team looking at snort alerts via ACID. The problem is that we sometimes have more than one person working on an alert, worse following through with notifying the offending IP's ISP or IP owner. Does anyone know if the latest version of ACID has an option to make notes, add a confirm button or add an assigned to feature? If not, has anyone done something like this or have a need for it too? I realize that this is entirely ACID related but I am asking all of you
for thoughts and ideas on this. Without re-writing ACID to add this feature, I am stumped :( Thanks in advance, -mike ------------------------------------------------------- This sf.net email is sponsored by: Battle your brains against the best in the Thawte Crypto Challenge. Be the first to crack the code - register now: http://www.gothawte.com/rd521.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Battle your brains against the best in the Thawte Crypto Challenge. Be the first to crack the code - register now: http://www.gothawte.com/rd521.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joseph J. Gresham Jr. Systems Integration Consultant/Network Engineer Onshore Inc. 312-850-5200 x.138 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Confirmation For Alerts In ACID Needed Ibarra, Michael (Nov 20)
- RE: Confirmation For Alerts In ACID Needed Joel Colvin (Nov 20)
- <Possible follow-ups>
- RE: Confirmation For Alerts In ACID Needed Ibarra, Michael (Nov 20)
- Re: Confirmation For Alerts In ACID Needed Joseph Gresham (Nov 21)
- RE: Confirmation For Alerts In ACID Needed Fraser Hugh (Nov 21)