Skip to content

Archive DB Information

Jump to bottom
Nathan Gibbs edited this page May 16, 2023 · 2 revisions

Archiving Alerts

Alerts can be archived by following these steps:

  1. In preparation to archive alerts, a separate database must be created.
    1. This archive database must be the same schema version as the one from which alerts will be copied.
    2. Use the appropriate create_mysql/create_postgresql script from the Snort or Barnyard2 distribution.
  2. In the BASE configuration file base_conf.php.
    1. Update the following to reference the Archive DB.
      1. $archive_dbname
      2. $archive_host
      3. $archive_user
      4. $archive_password
      5. $archive_port
    2. Set '$archive_exists' to 1.
  3. Run the query which contains the alerts to be archived.
    1. At the bottom of the query results will be an 'Action' box.
  4. From the left-most 'Action' combo-box choose an Archive action.
    1. Archive alert(s) (copy) - Copy the specified alerts into the archive DB.
    2. Archive alert(s) (move) - Copy the specified alerts into the archive DB, then delete the alerts from the alert DB.
  5. The text-box following the combo-box should be left blank
  6. The alerts which will be archived need to be specified.
    1. This selection is achieved by choosing one of the three 'Action' buttons.
      1. Selected: archives those alerts which have been checked (note the check boxes in the extreme left-hand column)
      2. ALL on Screen: archives all alerts currently displayed on the screen
      3. Entire Query: archives all alerts in this query/report

Adapted from: https://acidlab.sourceforge.net/acid_archive_instruct.html & https://www.andrew.cmu.edu/user/rdanyliw/snort/acid_archive_instruct.html

Clone this wiki locally