[Snort-users] data table full in MYSQL

Reeves, Michael (GEAE, Compaq) michael.reeves at ...3457...
Tue Oct 16 11:37:24 EDT 2001


Roman,

I have used acid for all deletion. (nothing manual) 

Is ACID suppossed to yank the data portion of the packet when you delete?



Mike



-----Original Message-----
From: Roman Danyliw
To: Reeves, Michael (GEAE, Compaq)
Cc: 'snort-users at lists.sourceforge.net'
Sent: 10/16/2001 1:54 PM
Subject: Re: [Snort-users] data table full in MYSQL

Mike,

A couple of clarifications:

- If you deleted events from the database manually, make sure to delete
the corresponding information from all tables (i.e. event, iphdr,
tcphdr/icmphdr/udphdr, data, opt).  Otherwise, the database will be left
in an inconsistent state.

- the event cache does not store any data on the packet payload

Assuming you have deleted a number of alerts from the database without
using ACID, the cache will need to be rebuilt.  Issue the following
command from the mysql command line:

mysql> DELETE FROM acid_event;

This command will delete the entire cache.  To recreate it, use the
maintenance page or simply enable auto-updating of the event cache.

Roman

On Tue, 16 Oct 2001, Reeves, Michael (GEAE, Compaq) wrote:

> Ok,
>
>
>       database: mysql_error: The table 'data' is full
>
> my data.MYD is 4.2 gigs :) I killed a bunch of events from the acid
dbase
> but no dice. It looks like it is pulling them into cache but not
deleting
> them from the data.myd directory. The user has full rights over the
dbase.
> Also when I go into cache and status is says there are 300,000+ alerts
but
> only 56000 cached events. I update the alert cache and it says 0
alerts
> added. I am not sure of how the process works. Should I wipe the DB
and
> start over?
>
> Mike





More information about the Snort-users mailing list