[Snort-users] manual access to ACID databases

Steve.Rudolph at ...3595... Steve.Rudolph at ...3595...
Wed Oct 10 10:31:05 EDT 2001


Susan,
Would you care to share you Perl script for archiving?
I am new to SQL - so it would take me a couple of weeks to figure out how
to code this, I'm sure.
I already archive through the ACID interface and it is woefully slow.  I
seem to be getting about 10000 alerts a day - SNORT is on the external side
of the FW looking at the Internet traffic, and is seems like once it gets
over 10000 it slows down considerably.

Does anyone have a script to extract all entries for a particular IP
address from a MySQL database?  I would like to stop logging to the
snort.log file too, as this probably adds some load and gets erased every
time I stop and start snort after a config change.  I hate logging the same
thing to 3 places, 2 is bad enough.

Steve Rudolph CCSA, CCSE
J. Walter Thompson
World Wide IT


                                                                                                                                  
                    Susan Kay Coulter                                                                                             
                    <skc at ...440...>                      To:     snort-users at lists.sourceforge.net                                 
                    Sent by:                            cc:                                                                       
                    snort-users-admin at ...635...       Subject:     Re: [Snort-users] manual access to ACID databases            
                    eforge.net                                                                                                    
                                                                                                                                  
                                                                                                                                  
                    10/10/2001 11:27 AM                                                                                           
                    Please respond to skc                                                                                         
                                                                                                                                  
                                                                                                                                  





I periodically removed the nimda alerts by using a Perl/mysql dbi script.
If you are comfortable with perl, it is pretty simple to download the mysql
dbi
and write a script to clear out alerts by signature, time frame, etc.  I
have
found it extremely useful - and use it to archive alerts on a monthly
basis.
It is much faster than using ACID, and you can start up the script when you
leave at the end of the day and let it run - or run it as a cronjob during
your
slowest traffic period.  ( Of course this does require becoming familiar
with
the db design and knowing the relation between the tables.)


> From: "Jones, Benny" <Ben at ...32...>
> To: "'Snort  Users'" <snort-users at lists.sourceforge.net>
> Date: Wed, 10 Oct 2001 09:50:39 -0400
> Subject: [Snort-users] manual access to ACID databases
>
> This message is in MIME format. Since your mail reader does not
understand
> this format, some or all of this message may not be legible.
>
> ------_=_NextPart_001_01C15192.8BC36CC0
> Content-Type: text/plain;
>    charset="iso-8859-1"
>
> recent nimda shenanigans has apparently overloaded my
> ACID database with 10s of thousands (probably a few
> hundred thousand) alerts that I don't want.  The initial
> ACID display doesn't come up (the mysqld process simply
> chugs away for over an hour).
>
> I'd like to go into the mysql database and use SQL to
> delete the records manually, but I'm concerned that
> I'll leave the database equivalent of broken links around
> if I make a mistake.
>
> Has anyone else successfully dealt with something like this?
> If manual access is an option, what is the command to use to
> get rid of say, all alerts with "outgoing admin.dll" in them?
> Or, maybe I've got something misconfigured.  Any advice would
> be appreciated.
>
> TIA
>
> Benny
>
>

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list