RE: How to delete alerts without acid

[SN ORT <snort_on_acid () yahoo com>]

Well, I suppose you'd goto the prompt and run mysql.
Attaching to the database, bringing up the appropriate
table and deleting the events. Something like: 

Database snortmaster-
DELETE FROM acid_event WHERE sig_name = 'msblaster'; 
-or is it-?
DELETE FROM * WHERE sig_name = 'msblaster';

Try and see if QUICK works with that as well..

Or something along that line...then you can script it
to where you just type in the variable used to delete
the sig name. 

I imagine this would not be as bad as doing it from
ACID. You'd still max-out the processor with MYSQLD
running that command for awhile.

Cheese!

Marc


--- Jason Humes <jhumes () acs on ca> wrote:
> Sorry, my snort DB is mysql and its hosted on the
> notebook.  How would I
> clear this out manually?  Thanks
>
> -----Original Message-----
> From: SN ORT [mailto:snort_on_acid () yahoo com] 
> Sent: Monday, March 15, 2004 3:25 PM
> To: Snort Dudes
> Cc: jhumes () acs on ca
> Subject: RE: [Snort-users] How to delete alerts
> without acid
>
>
> Where and what is your "Snort dB"? Is it MySql? Is
> it
> "on the laptop"? Is it on a WAN somewhere? 
>
> Deleting 300000 alerts will drive up the CPU on both
> ACID/httpd and the database processes. 
>
> Heck, just bringing up the ACID Alerts index page
> takes an average (httpd 5%) and (MySqld 17%) CPU
> resources on a 4000 item Snort database.
>
> I suppose you could clear out any table manually.
>
> Cheese!
>
> Marc
>
>
> ---------------Original Message---------------------
> Message: 12
> From: Jason Humes <jhumes () acs on ca>
> To: "'snort-users () lists sourceforge net'"
>        <snort-users () lists sourceforge net>
> Date: Mon, 15 Mar 2004 12:49:28 -0500
> Subject: [Snort-users] How to delete alerts without
> acid
>
> Hi
> I've got snort installed on a notebook which we use
> as
> a portable IDS.  We
> take this out and drop it off at sites which may be
> experiencing problems.
> This notebook is a P4 2.8ghz with 512RAM and 20gig
> HD.  I'm trying to delete
> about 300000 alerts from the Snort DB through the
> ACID console, yet the page
> never seems to refresh after I select the alerts and
> hit Delete.  The HD
> activity light stays lit constant, yet no refresh
> (even after 30minutes). Is
> there any way to clear up the alert database without
> using acid?  Could this
> problem be related to something other than the large
> number of alerts?
> Thanks
>
> Jason D. Humes
> ----------------------------------------------------


__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users