[Snort-users] manual access to ACID databases

Steve Halligan agent33 at ...187...
Wed Oct 10 07:32:11 EDT 2001


This is a tricky question.  Someone could write a script to do something
like this, but the every alert has "links" in many tables.  For example, a
single admin.dll alert would have a record in the event, iphdr, tcphdr,
data, opt, and acid_event tables (maybe more, that is off the top of my
head).  The query you would have to write to completely clear all the events
that had "admin.dll" in them would have to do the following things:
1)  Query the event table for the event ids of all events with admin.dll in
them
2)  delete all records with this set of event ids from the above tables.

This is a long and expensive query no matter how you do it.

I recently was trying to deal with the same problem.  I had well over 200k
alerts in my db.  The thought of writing the sql script made my head hurt,
so this is what I did:

1)  Changed the "max_script_execution_time" in acid_conf.php 1800.  Yes,
that is a half hour.
2)  Use lynx to run the query to get all events that you want to delete.  I
did a top 5 most frequent alerts.
3)  Check the ones you want to delete, and hit the button.
4)  Go get lunch.
5)  Don't forget to reset #1 back to a reasonable number.

I used lynx because it has no internal timeout.  All the other browser I
tried timed out on there own well before the max script time had expired
(Netscape, IE, Konqueror).  Lynx will just happily sit there waiting for
response forever.  Results: alerts gone, database small and happy.

-Steve

-----Original Message-----
From: Jones, Benny [mailto:Ben at ...32...]
Sent: Wednesday, October 10, 2001 8:51 AM
To: 'Snort Users'
Subject: [Snort-users] manual access to ACID databases


recent nimda shenanigans has apparently overloaded my 
ACID database with 10s of thousands (probably a few 
hundred thousand) alerts that I don't want.  The initial 
ACID display doesn't come up (the mysqld process simply 
chugs away for over an hour). 
I'd like to go into the mysql database and use SQL to 
delete the records manually, but I'm concerned that 
I'll leave the database equivalent of broken links around 
if I make a mistake. 
Has anyone else successfully dealt with something like this? 
If manual access is an option, what is the command to use to 
get rid of say, all alerts with "outgoing admin.dll" in them? 
Or, maybe I've got something misconfigured.  Any advice would 
be appreciated.  
TIA 
Benny 




More information about the Snort-users mailing list