Snort mailing list archives
RE: clearing logs in acid console
From: <CGhercoias () TWEC COM>
Date: Wed, 22 Sep 2004 09:31:36 -0400
I'm using the following script to delete events from snort database. Use it at your own risk. Before use it do a backup of the database with: mysqldump -opt snort_database > /backup/snort_backup Hope this helps. #!/bin/bash # # Script to delete old data from the snort sql database. # NOTE! Before you can use this script, you must change the defines # in the following lines to match those at your company. # # A few constants needed. User with R/W privileges to snort database. MYUSER="database_user" MYPASS="password" SNORTDB="snort_database" # Now define the public IP address ranges used by your company. # If you have more than one discontiguous range, you'll need to edit # the SQL generation code lower down in this script. It's not hard to do. IPLOW="192.168.0.0" IPHIGH="192.168.0.254" function usage() { cat <<EOF >&2 Usage: $0 [ -<options> ] hours Deletes old data in the snort database, keeping entries received within the past <hours>. You can limit the data deleted by signature or ip, using the specified options. Options: -b Debug SQL - Prints executed SQL to stderr -d Use destination IP with -r or -i; default is source. -i "ip" Have the given source IP exclusive of -r. -n Don't actually do anything; just look up data. -o Optimize the tables after deleting. -r Remote source IPs only (incoming, not outgoing). -s "x" Signature must be like '%x%' EOF } if TEMP=`getopt -o bdi:nors: -n "$0" -- "$@"`; [ $? -ne 0 ]; then usage; exit 1 fi eval set -- "$TEMP" LIKE=""; REMOTES=""; IP=""; SRCDST="ip_src"; NOEXEC=""; DBG=""; OPTIM="" while true ; do if [ "$1" = "-b" ]; then DBG=1; shift elif [ "$1" = "-d" ]; then SRCDST="ip_dst"; shift elif [ "$1" = "-i" ]; then IP="$2"; shift 2 elif [ "$1" = "-n" ]; then NOEXEC=1; shift elif [ "$1" = "-o" ]; then OPTIM=1; shift elif [ "$1" = "-r" ]; then REMOTES=1; shift elif [ "$1" = "-s" ]; then LIKE="$2"; shift 2 elif [ "$1" = "--" ]; then shift; break else echo "Internal getopt error?" >&2; exit 2 fi done if [ $# -ne 1 ]; then usage; exit 1 elif [ -n "$IP" -a -n "$REMOTES" ]; then echo -e "\n\nCannot specify both -i and -r.\n" >&2 usage; exit 1 elif HOURS="$1"; ! echo "$HOURS" | grep -q '^[0-9]\+$'; then echo -e "\n\nThe <Hours> argument must be a non-negative integer.\n" >&2 usage; exit 1 elif [ -z "$IP" -a -z "$REMOTES" -a -z "$LIKE" -a $(($HOURS+0)) = 0 ]; then echo -e "\n\nMust specify at least one of either -i, -r or -s" >&2 echo -e "when the <hours> argument is zero (else delete entire DB!).\n"
&2
usage; exit 1 fi function makequery () { local wa="WHERE" echo -n "SELECT event.sid, event.cid FROM " if [ -n "$IP$REMOTES" ]; then echo -n "iphdr, "; fi if [ -n "$LIKE" ] then echo -n "signature, event" else echo -n "event" fi if [ $HOURS -gt 0 ]; then echo -en "\n $wa event.timestamp < NOW() - INTERVAL '$HOURS' HOUR" wa="AND" fi if [ -n "$LIKE" ]; then if ! echo "$LIKE" | grep -q '%'; then LIKE="%${LIKE}%" fi echo -e "\n $wa signature.sig_name LIKE '$LIKE'" echo -n " AND signature.sig_id = event.signature"; wa="AND" fi if [ -n "$IP" ]; then echo -e "\n $wa iphdr.$SRCDST = INET_ATON('$IP')" elif [ -n "$REMOTES" ]; then cat <<EOF $wa iphdr.$SRCDST NOT BETWEEN INET_ATON('$IPLOW') AND INET_ATON('$IPHIGH') AND iphdr.$SRCDST NOT BETWEEN INET_ATON('10.0.0.0') AND INET_ATON('10.255.255.255') AND iphdr.$SRCDST NOT BETWEEN INET_ATON('192.168.0.0') AND INET_ATON('192.168.255.255') AND iphdr.$SRCDST NOT BETWEEN INET_ATON('172.0.0.0') AND INET_ATON('172.255.255.255') AND iphdr.$SRCDST NOT BETWEEN INET_ATON('65.88.87.64') AND INET_ATON('65.88.87.127') EOF fi if [ -n "$IP$REMOTES" ] then echo " AND iphdr.sid = event.sid AND iphdr.cid = event.cid;" else echo ";" fi } # This takes the output of makequery, pipes it through mysql to get the # list of rows to delete, generates the delete statements for each table, # then optionally adds optimize commands. function makesql () { local rhs table rhs='s%^\([0-9]\+\)[[:space:]]\+\([0-9]\+\)$%\ ' for table in data event icmphdr tcphdr udphdr iphdr opt; do rhs="${rhs}DELETE FROM $table WHERE sid='\1' AND cid='\2';\\ " done rhs="$rhs%" makequery | mysql --user="$MYUSER" --password="$MYPASS" -s -B "$SNORTDB" |\ sed -e "$rhs" if [ -n "$OPTIM" ]; then # Order tables by approximate size. for table in icmphdr udphdr opt event tcphdr iphdr data; do echo "OPTIMIZE TABLE $table;" done fi } ######################################################################### # # # Run the query and output the results... # # # ######################################################################### if [ -n "$DBG" ]; then echo -e "\nSQL Query:\n" >&2; makequery >&2; echo >&2 fi if [ -n "$NOEXEC" ] then makesql else makesql | mysql --user="$MYUSER" --password="$MYPASS" "$SNORTDB" Thank you, ___________________________ Catalin A. Ghercoias WEB/Network Security Administrator Office Phone: +(518) 452-1242 Ext.7435 Fax: (518) 452-4768 -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jose Maria Lopez Sent: Tuesday, September 21, 2004 8:05 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] clearing logs in acid console El vie, 17 de 09 de 2004 a las 20:37, support escribió:
Hi jose Thanks for your help But I am facing problem if snort is that the /usr partition is going 100% utilized becoz of which acid console is not showing any new alerts . can u tell me how and which files to delete from this partition in order to work out. Regards, raj
You could delete the whole snort directory under the mysql directory, but then you will have to create the tables for snort and acid from new. Check this directory and see if you can delete it safely and create the tables for acid from new. Maybe someone can give you better advice. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac () bgsec com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listort-users
Attachment:
smime.p7s
Description:
Current thread:
- clearing logs in acid console support (Sep 16)
- Re: clearing logs in acid console Jose Maria Lopez (Sep 17)
- <Possible follow-ups>
- RE: clearing logs in acid console Jose Maria Lopez (Sep 21)
- RE: clearing logs in acid console Jose Costa (Sep 21)
- RE: clearing logs in acid console CGhercoias (Sep 22)