[Snort-users] a user experience w/ Snort, ACID & (Postgre|My) SQL

Kevin Brown Kevin.M.Brown at ...1022...
Thu Oct 4 09:45:03 EDT 2001

I created three custom (very dumb) shell scripts that are run by cron.  One
moves the tables (literally performs a mv on the directory that holds the
snort db) and then creates a new empty database with the mysql_create script
(v1.04).  A second script fires off my custom php page to get the statistics
for that week (tcp, udp, icmp, portscan and total alerts <- similar to the
graph from the top of ACID).  The third and final script takes the archive
and tars it up to a different directory for long term storage.

All three scripts are totally dumb (no error handling or correction

# Snort Move script.  Moves the database from live to archive status, then
creates the new tables.

/bin/echo "Starting move of SQL to Archive `/bin/date +%c`" >>
/etc/rc.d/init.d/mysql stop
cd /var/lib/mysql/snort
/bin/mv -f * /var/lib/mysql/snort_archive
/etc/rc.d/init.d/mysql start
sleep 60
/bin/echo "Creating Snort tables `/bin/date +%c`" >>
/usr/bin/mysql -u root -p<password> snort < /home/hellgate/bin/create_mysql
/bin/echo "Finished Snort tables `/bin/date +%c`" >>
/bin/echo "Finished move of SQL to Archive `/bin/date +%c`" >>

# Calls my custom php which borrows code from ACID to create a chart for
that weeks data

echo "Started Snortstats `/bin/date +%c`" >> /home/hellgate/bin/stats.log
cd /home/httpd/html/php/
/usr/bin/wget -T 0 -O index.html <url of web server and page>
/bin/mv -f index.html index`/bin/date +%m-%d-%y`.html
echo "<A HREF=\"index`/bin/date +%m-%d-%y`.html\">Stats for week of
`/bin/date +%m-%d-%Y`</A><BR>" >> snortstats.html
chmod 644 /home/httpd/html/php/*
echo "Finished Snortstats `/bin/date +%c`" >> /home/hellgate/bin/stats.log

# Snort Archive tars up the archive data so that it can be put into "cold
storage" unless needed.

/bin/echo "Starting archive of SQL in Snort Archive `/bin/date +%c`" >>
cd /var/lib/mysql/snort_archive
/bin/tar -cf /var/lib/mysql/archives/snort_archive-`date +%V-%Y`.tar
/bin/echo "Finished archive of SQL in Snort Archive `/bin/date +%c`" >>

> -----Original Message-----
> From: Jason Lewis [mailto:jlewis at ...2449...]
> Sent: Wednesday, October 03, 2001 09:59
> To: 'Kevin Brown'; 'Snort Users'
> Subject: RE: [Snort-users] a user experience w/ Snort, ACID &
> (Postgre|My) SQL
> How are you doing the rotation?
> <snip>
> We have since switched back to Mysql and I have the database 
> rotated out
> once a week to prevent it from growing too large.  Switching 
> back also fixed
> the timestamp issues, so I can only assume that the problem 
> is with the db
> output plugin and postgres.
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.

More information about the Snort-users mailing list