Re: Snort, Mysql purging

[Frank Knobbe <frank () knobbe us>]

On Wed, 2003-12-10 at 17:36, Josh Berry wrote:
> I HIGHLY suggest NOT deleting the information.  I suggest having a
> secondary archive db that you move stuff like Welchia too when you think
> you don't need it anymore. 

I guess that all depends on your or your company's policy. You can dump
certain data. I routinely dump the contents of the DATA table for
certain signatures after a period of time. I don't see a reason to keep
the same exact content for, say, the SQL-Slammer in the DB. Other
content (IPHDR and friends) is archived. But certain ballast is dumped.

You need to consider the usefulness of the data. Will you ever go back
to data from IPHDR for an event that occurred a year ago?

Perhaps this thread can evolve into a DB/data retention policy thread.
To yell categorically "yes" or "no' is wrong. The correct answer is
"depends" :)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part