Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ACID with 2 archive databases?

From: "Chris Eidem" <ceidem () Dexma com>
Date: Tue, 7 Jan 2003 09:47:07 -0600
Is it possible to use ACID with a second archive database 
(archive2) where
we can
move the false positives to? So that we've a snort database 
with only the
new, 
unexamined alerts. We want to move the true alerts to the 
archive1 database
and
the false positives to the archive2 databse.
Has anyone done something like this or have a need for it too?

Any ideas?



generally, i like to rotate my ACID database monthly, so i just muck
around with the acid_conf.php file in the acid directory of my
webserver.  if you have a working acid setup, just copy it to a
different directory (e.g., /var/www/htdocs/acid2) and modify the
acid_conf.php file to point to the database you have set up there:

$alert_dbname   = "nov02_snort";

instead of 

$alert_dbname   = "snort";

and then access <your ACID server>/acid2

probably more mucking around that is necessary, but it works for me.

 - chris


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: