Snort mailing list archives
Re: Snort, Mysql purging
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 10 Dec 2003 17:56:46 -0600
On Wed, 2003-12-10 at 17:36, Josh Berry wrote:
I HIGHLY suggest NOT deleting the information. I suggest having a secondary archive db that you move stuff like Welchia too when you think you don't need it anymore.
I guess that all depends on your or your company's policy. You can dump certain data. I routinely dump the contents of the DATA table for certain signatures after a period of time. I don't see a reason to keep the same exact content for, say, the SQL-Slammer in the DB. Other content (IPHDR and friends) is archived. But certain ballast is dumped. You need to consider the usefulness of the data. Will you ever go back to data from IPHDR for an event that occurred a year ago? Perhaps this thread can evolve into a DB/data retention policy thread. To yell categorically "yes" or "no' is wrong. The correct answer is "depends" :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Snort, Mysql purging Jack Snedecor (Dec 10)
- Re: Snort, Mysql purging Josh Berry (Dec 10)
- Re: Snort, Mysql purging Frank Knobbe (Dec 10)
- Re: Snort, Mysql purging Mark Fagan (Dec 11)
- Re: Snort, Mysql purging Josh Berry (Dec 10)