[Snort-users] a user experience w/ Snort, ACID & (Postgre|My) SQL
Kevin.M.Brown at ...1022...
Thu Oct 4 09:45:03 EDT 2001
I created three custom (very dumb) shell scripts that are run by cron. One
moves the tables (literally performs a mv on the directory that holds the
snort db) and then creates a new empty database with the mysql_create script
(v1.04). A second script fires off my custom php page to get the statistics
for that week (tcp, udp, icmp, portscan and total alerts <- similar to the
graph from the top of ACID). The third and final script takes the archive
and tars it up to a different directory for long term storage.
All three scripts are totally dumb (no error handling or correction
# Snort Move script. Moves the database from live to archive status, then
creates the new tables.
/bin/echo "Starting move of SQL to Archive `/bin/date +%c`" >>
/bin/mv -f * /var/lib/mysql/snort_archive
/bin/echo "Creating Snort tables `/bin/date +%c`" >>
/usr/bin/mysql -u root -p<password> snort < /home/hellgate/bin/create_mysql
/bin/echo "Finished Snort tables `/bin/date +%c`" >>
/bin/echo "Finished move of SQL to Archive `/bin/date +%c`" >>
# Calls my custom php which borrows code from ACID to create a chart for
that weeks data
echo "Started Snortstats `/bin/date +%c`" >> /home/hellgate/bin/stats.log
/usr/bin/wget -T 0 -O index.html <url of web server and page>
/bin/mv -f index.html index`/bin/date +%m-%d-%y`.html
echo "<A HREF=\"index`/bin/date +%m-%d-%y`.html\">Stats for week of
`/bin/date +%m-%d-%Y`</A><BR>" >> snortstats.html
chmod 644 /home/httpd/html/php/*
echo "Finished Snortstats `/bin/date +%c`" >> /home/hellgate/bin/stats.log
# Snort Archive tars up the archive data so that it can be put into "cold
storage" unless needed.
/bin/echo "Starting archive of SQL in Snort Archive `/bin/date +%c`" >>
/bin/tar -cf /var/lib/mysql/archives/snort_archive-`date +%V-%Y`.tar
/bin/echo "Finished archive of SQL in Snort Archive `/bin/date +%c`" >>
> -----Original Message-----
> From: Jason Lewis [mailto:jlewis at ...2449...]
> Sent: Wednesday, October 03, 2001 09:59
> To: 'Kevin Brown'; 'Snort Users'
> Subject: RE: [Snort-users] a user experience w/ Snort, ACID &
> (Postgre|My) SQL
> How are you doing the rotation?
> We have since switched back to Mysql and I have the database
> rotated out
> once a week to prevent it from growing too large. Switching
> back also fixed
> the timestamp issues, so I can only assume that the problem
> is with the db
> output plugin and postgres.
> Jason Lewis
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
More information about the Snort-users