[Snort-users] manual access to ACID databases

Susan Kay Coulter skc at ...440...
Wed Oct 10 08:33:14 EDT 2001


I periodically removed the nimda alerts by using a Perl/mysql dbi script.
If you are comfortable with perl, it is pretty simple to download the mysql dbi
and write a script to clear out alerts by signature, time frame, etc.  I have
found it extremely useful - and use it to archive alerts on a monthly basis.
It is much faster than using ACID, and you can start up the script when you
leave at the end of the day and let it run - or run it as a cronjob during your
slowest traffic period.  ( Of course this does require becoming familiar with
the db design and knowing the relation between the tables.)  


> From: "Jones, Benny" <Ben at ...32...>
> To: "'Snort  Users'" <snort-users at lists.sourceforge.net>
> Date: Wed, 10 Oct 2001 09:50:39 -0400
> Subject: [Snort-users] manual access to ACID databases
> 
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> ------_=_NextPart_001_01C15192.8BC36CC0
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> 
> recent nimda shenanigans has apparently overloaded my
> ACID database with 10s of thousands (probably a few
> hundred thousand) alerts that I don't want.  The initial
> ACID display doesn't come up (the mysqld process simply
> chugs away for over an hour).
> 
> I'd like to go into the mysql database and use SQL to
> delete the records manually, but I'm concerned that
> I'll leave the database equivalent of broken links around
> if I make a mistake.
> 
> Has anyone else successfully dealt with something like this?
> If manual access is an option, what is the command to use to
> get rid of say, all alerts with "outgoing admin.dll" in them?
> Or, maybe I've got something misconfigured.  Any advice would
> be appreciated.  
> 
> TIA
> 
> Benny
> 
>




More information about the Snort-users mailing list