Snort mailing list archives
RE: Slammer Virus ruined my ACID and SNORT
From: "Maynard, Jeff S." <Jeff.Maynard () banctec com>
Date: Fri, 28 Mar 2003 08:20:37 -0600
This is not what I have found. I have used this method with success in the past. One other thing that I do on a regular basis is run an optimize on all the Snort tables. I have a cron script which does this once an hour. Don't know if this is why this works for me. -----Original Message----- From: Paul Schmehl [mailto:pauls () utdallas edu] Sent: Thursday, March 27, 2003 5:20 PM To: Maynard, Jeff S. Cc: 'Andrade, Leonardo F. " Buonsanti "de (IT - Brasil)'; 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] Slammer Virus ruined my ACID and SNORT On Thu, 2003-03-27 at 13:48, Maynard, Jeff S. wrote:
Sorry, the correct syntax would be : use snort; then delete from acid_event where ip_src="xxxxxxxxx";
How does this help? You can delete *everything* in the four ACID tables and the next time you refresh ACID all two million events will return. You have to delete the event records from the appropriate snort tables to actually get rid of the alerts. After I implemented my archiving script, I added four lines of code (actually eight, but the first four were simply to properly format the queries.) Each night cron runs the script and all events older than 8 days are copied to an archive database and deleted from the snort database. The four lines that I added delete *everything* in the four acid tables. As soon as that happens, the next time ACID refreshes, it will reload *everything* that's in the snort database. -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Slammer Virus ruined my ACID and SNORT Andrade, Leonardo F. Buonsanti de (IT - Brasil) (Mar 27)
- <Possible follow-ups>
- RE: Slammer Virus ruined my ACID and SNORT Maynard, Jeff S. (Mar 27)
- RE: Slammer Virus ruined my ACID and SNORT Paul Schmehl (Mar 27)
- RE: Slammer Virus ruined my ACID and SNORT Maynard, Jeff S. (Mar 27)
- RE: Slammer Virus ruined my ACID and SNORT Semerjian, Ohanes (Mar 27)
- RE: Slammer Virus ruined my ACID and SNORT Jim Clews (Mar 28)
- RE: Slammer Virus ruined my ACID and SNORT Maynard, Jeff S. (Mar 28)