Snort mailing list archives
Re: manual access to ACID databases
From: Steve.Rudolph () jwt com
Date: Wed, 10 Oct 2001 13:24:38 -0400
Susan, Would you care to share you Perl script for archiving? I am new to SQL - so it would take me a couple of weeks to figure out how to code this, I'm sure. I already archive through the ACID interface and it is woefully slow. I seem to be getting about 10000 alerts a day - SNORT is on the external side of the FW looking at the Internet traffic, and is seems like once it gets over 10000 it slows down considerably. Does anyone have a script to extract all entries for a particular IP address from a MySQL database? I would like to stop logging to the snort.log file too, as this probably adds some load and gets erased every time I stop and start snort after a config change. I hate logging the same thing to 3 places, 2 is bad enough. Steve Rudolph CCSA, CCSE J. Walter Thompson World Wide IT Susan Kay Coulter <skc () lanl gov> To: snort-users () lists sourceforge net Sent by: cc: snort-users-admin@lists.sourc Subject: Re: [Snort-users] manual access to ACID databases eforge.net 10/10/2001 11:27 AM Please respond to skc I periodically removed the nimda alerts by using a Perl/mysql dbi script. If you are comfortable with perl, it is pretty simple to download the mysql dbi and write a script to clear out alerts by signature, time frame, etc. I have found it extremely useful - and use it to archive alerts on a monthly basis. It is much faster than using ACID, and you can start up the script when you leave at the end of the day and let it run - or run it as a cronjob during your slowest traffic period. ( Of course this does require becoming familiar with the db design and knowing the relation between the tables.)
From: "Jones, Benny" <Ben () wcom net> To: "'Snort Users'" <snort-users () lists sourceforge net> Date: Wed, 10 Oct 2001 09:50:39 -0400 Subject: [Snort-users] manual access to ACID databases This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible. ------_=_NextPart_001_01C15192.8BC36CC0 Content-Type: text/plain; charset="iso-8859-1" recent nimda shenanigans has apparently overloaded my ACID database with 10s of thousands (probably a few hundred thousand) alerts that I don't want. The initial ACID display doesn't come up (the mysqld process simply chugs away for over an hour). I'd like to go into the mysql database and use SQL to delete the records manually, but I'm concerned that I'll leave the database equivalent of broken links around if I make a mistake. Has anyone else successfully dealt with something like this? If manual access is an option, what is the command to use to get rid of say, all alerts with "outgoing admin.dll" in them? Or, maybe I've got something misconfigured. Any advice would be appreciated. TIA Benny
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- manual access to ACID databases Jones, Benny (Oct 10)
- <Possible follow-ups>
- RE: manual access to ACID databases Steve Halligan (Oct 10)
- Re: manual access to ACID databases Susan Kay Coulter (Oct 10)
- Re: manual access to ACID databases Steve . Rudolph (Oct 10)
- Re: manual access to ACID databases Susan Kay Coulter (Oct 10)
- Re: manual access to ACID databases Susan Kay Coulter (Oct 10)