Snort mailing list archives

Re: Keeping separate databases?

From: twig les <twigles () yahoo com>
Date: Mon, 15 Mar 2004 12:35:18 -0800 (PST)


--- Jason Humes <jhumes () acs on ca> wrote:

Hi
Here is my situation...I've got snort on a notebook which I
use at various
sites and right now, I just delete all the alerts in between
sessions at
each site...just to keep the DB clean and only containing
records for the
site which I'm currently monitoring.  Is there any way to
archive all the
alerts generated from one site, so that they no longer show
up/are processed
by the ACID console and I'd also like to be able to re-load
them into ACID
at a later time for reviewing.  So for example, I go to
CustomerSiteA and
drop off the Snort Notebook for a day.  I go back the next
day, select all
the Alerts shown in the ACID console and somehow archive them,
which would
remove them from the ACID console.  And then later on pull
them back up.
Thanks


I'm nowhere near your situation so I haven't put my fingers on
the keyboard and made this happen, but have you tried creating
multiple archive databases?  As in you have database "cust01"
and "cust02", then before you transfer the alerts to the archive
database you just go into acid_conf and make sure the archive
database parameter is set to what you want.  Not pretty but not
too ugly either.

=====
-----------------------------------------------------------
With a few exceptions, secrecy is deeply incompatible with
democracy and with science.
     --Carl Sagan  
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Keeping separate databases? Jason Humes (Mar 15)
- Re: Keeping separate databases? twig les (Mar 15)
- Re: Keeping separate databases? Jason Haar (Mar 15)
- <Possible follow-ups>
- RE: Keeping separate databases? Jason Humes (Mar 15)
- RE: Keeping separate databases? Jason Humes (Mar 16)
- RE: Keeping separate databases? Jason Haar (Mar 16)
  - RE: Keeping separate databases? Jason Monroe "JC" (Mar 16)
    - Re: Keeping separate databases? Jason Haar (Mar 16)