[Snort-users] manual access to ACID databases

Susan Kay Coulter skc at ...440...
Wed Oct 10 14:11:11 EDT 2001


Here are 3 scripts.  archive.pl  will archive the entire database (support
tables and all) for a given timeframe.  By 'archive' I mean it dumps the data
to flat files that can then be imported into another database.  load.pl loads
the data from the files created in archive.pl into a database I call snortarc.
It is setup identical to snort -- but is not accessed via ACID.  It is for
historical  (hysterical ?)  reporting purposes.   clear.pl clears the events
for that timeframe from the snort database.  All this could be done in one
script - but I prefer to be able to check things out between runs.

The archive script requires you to create a user in mysql that has FILE
privileges.  After creating a user with FILE (and the other appropriate)
privileges you may need to run the command FLUSH PRIVILEGES to force mysql to
reload it's privileges info.  Have fun !!


> Subject: Re: [Snort-users] manual access to ACID databases
> To: snort-users at lists.sourceforge.net
> From: Steve.Rudolph at ...3595...
> Date: Wed, 10 Oct 2001 13:24:38 -0400
> 
> 
> Susan,
> Would you care to share you Perl script for archiving?
> I am new to SQL - so it would take me a couple of weeks to figure out how
> to code this, I'm sure.
> I already archive through the ACID interface and it is woefully slow.  I
> seem to be getting about 10000 alerts a day - SNORT is on the external side
> of the FW looking at the Internet traffic, and is seems like once it gets
> over 10000 it slows down considerably.
> 
> Does anyone have a script to extract all entries for a particular IP
> address from a MySQL database?  I would like to stop logging to the
> snort.log file too, as this probably adds some load and gets erased every
> time I stop and start snort after a config change.  I hate logging the same
> thing to 3 places, 2 is bad enough.
> 
> Steve Rudolph CCSA, CCSE
> J. Walter Thompson
> World Wide IT

-- 
Susan Coulter
Network Security Team
CCN-5 Network Engineering
Los Alamos National Laboratory
voice: (505) 667-8425
fax:   (505) 665-7793
-------------- next part --------------
A non-text attachment was scrubbed...
Name: archive.pl
Type: application/x-perl
Size: 4640 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011010/6634c87d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clear.pl
Type: application/x-perl
Size: 1354 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011010/6634c87d/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: load.pl
Type: application/x-perl
Size: 895 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011010/6634c87d/attachment-0002.bin>


More information about the Snort-users mailing list