[Snort-users] Trimming/Archiving Snort Data from a MYSQL Db. (How do you do it?)

box.inter-tel.net chris at ...714...
Fri Oct 27 17:30:41 EDT 2000


Hello all,

Recently decided to give ACID v0.9.4 ( of the AirCERT project ) a try after
hearing it mentioned at the Monetery SANS conf.  It requires that you use
the database plugin for snort, so I ran right off and built a mysql
database...

For those of you unaware of what ACID http://www.cert.org/kb/acid is, it is
a nice little set of php scripts that gives you web access to some stats on
and access to, the data that gets pumped into your mysql database by snort.

Lots of potential here, but after only a few days, of a few sensors pointing
at my database, my disk space began to dissapear rapidly.  Now, I know how
to handle my familiar old flat file logs when space gets tight, but not
being terribly adept in the database world, and hating to throw anything
away, I have had to leave this beast to grow unchecked.  My guess is you
"trim" the data and archive the cuttings off somewhere.  Any one have a
solution for this already?  Or give me an idea of how I might go about this?
Some magical SQL statement?  It's getting really big.

I realize this is more of a mysql than a snort question, but my guess is
some of you have dealt with this already, or will be dealing with it soon.

Any advice or insight would be appreciated.

Thanks all,

chris r.

(Nice job at Monetery, SANS, Martin)




More information about the Snort-users mailing list