[Snort-users] data table full in MYSQL
Reeves, Michael (GEAE, Compaq)
michael.reeves at ...3457...
Tue Oct 16 11:37:24 EDT 2001
I have used acid for all deletion. (nothing manual)
Is ACID suppossed to yank the data portion of the packet when you delete?
From: Roman Danyliw
To: Reeves, Michael (GEAE, Compaq)
Cc: 'snort-users at lists.sourceforge.net'
Sent: 10/16/2001 1:54 PM
Subject: Re: [Snort-users] data table full in MYSQL
A couple of clarifications:
- If you deleted events from the database manually, make sure to delete
the corresponding information from all tables (i.e. event, iphdr,
tcphdr/icmphdr/udphdr, data, opt). Otherwise, the database will be left
in an inconsistent state.
- the event cache does not store any data on the packet payload
Assuming you have deleted a number of alerts from the database without
using ACID, the cache will need to be rebuilt. Issue the following
command from the mysql command line:
mysql> DELETE FROM acid_event;
This command will delete the entire cache. To recreate it, use the
maintenance page or simply enable auto-updating of the event cache.
On Tue, 16 Oct 2001, Reeves, Michael (GEAE, Compaq) wrote:
> database: mysql_error: The table 'data' is full
> my data.MYD is 4.2 gigs :) I killed a bunch of events from the acid
> but no dice. It looks like it is pulling them into cache but not
> them from the data.myd directory. The user has full rights over the
> Also when I go into cache and status is says there are 300,000+ alerts
> only 56000 cached events. I update the alert cache and it says 0
> added. I am not sure of how the process works. Should I wipe the DB
> start over?
More information about the Snort-users