[Snort-sigs] ACID Response Table Bug
King Jr, Charles (Contractor)
King2c at ...2325...
Fri Mar 19 09:51:06 EST 2004
I realize this isn't the appropriate list, but it's for the most part the
appropriate audience...apologies to those without ACID.
We discovered that the acid_action.inc file is missing an entry in the
PurgeAlert function for the response table. This allows the payload response
records to build up and diminish ACID's already poor responsiveness. You
can remedy this by adding the entry ("response",) to the function. To
delete old records, you can do something like:
mysql -u snort;
select max(cid) from events where timestamp < now() interval 3 day;
this returns an id for the highest event from three days ago, assuming
you've reviewed everything in the last couple of days and are willing to
purge old data.
delete from response where cid < xxx;
replace xxx with the cid number you got from the first query.
More information about the Snort-sigs