[Snort-users] manual access to ACID databases
Steve.Rudolph at ...3595...
Steve.Rudolph at ...3595...
Wed Oct 10 10:31:05 EDT 2001
Would you care to share you Perl script for archiving?
I am new to SQL - so it would take me a couple of weeks to figure out how
to code this, I'm sure.
I already archive through the ACID interface and it is woefully slow. I
seem to be getting about 10000 alerts a day - SNORT is on the external side
of the FW looking at the Internet traffic, and is seems like once it gets
over 10000 it slows down considerably.
Does anyone have a script to extract all entries for a particular IP
address from a MySQL database? I would like to stop logging to the
snort.log file too, as this probably adds some load and gets erased every
time I stop and start snort after a config change. I hate logging the same
thing to 3 places, 2 is bad enough.
Steve Rudolph CCSA, CCSE
J. Walter Thompson
World Wide IT
Susan Kay Coulter
<skc at ...440...> To: snort-users at lists.sourceforge.net
Sent by: cc:
snort-users-admin at ...635... Subject: Re: [Snort-users] manual access to ACID databases
10/10/2001 11:27 AM
Please respond to skc
I periodically removed the nimda alerts by using a Perl/mysql dbi script.
If you are comfortable with perl, it is pretty simple to download the mysql
and write a script to clear out alerts by signature, time frame, etc. I
found it extremely useful - and use it to archive alerts on a monthly
It is much faster than using ACID, and you can start up the script when you
leave at the end of the day and let it run - or run it as a cronjob during
slowest traffic period. ( Of course this does require becoming familiar
the db design and knowing the relation between the tables.)
> From: "Jones, Benny" <Ben at ...32...>
> To: "'Snort Users'" <snort-users at lists.sourceforge.net>
> Date: Wed, 10 Oct 2001 09:50:39 -0400
> Subject: [Snort-users] manual access to ACID databases
> This message is in MIME format. Since your mail reader does not
> this format, some or all of this message may not be legible.
> Content-Type: text/plain;
> recent nimda shenanigans has apparently overloaded my
> ACID database with 10s of thousands (probably a few
> hundred thousand) alerts that I don't want. The initial
> ACID display doesn't come up (the mysqld process simply
> chugs away for over an hour).
> I'd like to go into the mysql database and use SQL to
> delete the records manually, but I'm concerned that
> I'll leave the database equivalent of broken links around
> if I make a mistake.
> Has anyone else successfully dealt with something like this?
> If manual access is an option, what is the command to use to
> get rid of say, all alerts with "outgoing admin.dll" in them?
> Or, maybe I've got something misconfigured. Any advice would
> be appreciated.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users