[Snort-users] Snorting ACID and DB maintenance
rdesmond at ...6547...
Mon Aug 26 08:32:43 EDT 2002
At 09:21 AM 8/23/02 -0600, you wrote:
>I have ACID installed and lo and behold, less than a day and 1000 events
>in both 'event' and 'acid_event' tables.
Plain vanilla IDS installs are not to be used. I'm new at this too so I
freaked, then realized that an untuned ruleset is my own worst enemy. Read
some papers. Take some advice. Tune your rules. Then consider a
>By my modest predictions, this will be a !#@$&! of data toot sweet.
Yes. Yes it will.
>Other than going into ACID and manually selecting false positives and
>deleting them, are there other thoughts on how to keep from choking on
>the DB size?
1- Don't underestimate the power of deleting false positives while you're
still tuning the rules.
2- Make sure the disk-slice/partition you are mounting /var/db on is large.
>Not sure if this an ACID question or a MYSQL question. Probably more
>MYSQL, although I know even less about MYSQL than I do about ACID after
>a whole day of experimentation.
>1) can I limit the size of the MYSQL database?
Don't know myself. Probably.
>2) Can I do something as bone simple as 'delete from (event, acid_event)
>where timestamp < "some timestamp";'?
Yes. Yes you can. That is a valid SQL query, but you may want to check out
the database schema documentation on snort.org before you go deleting
records to make sure you are getting what you want.
>Any ideas or good general practices out there?
I discovered early on that in my FBSD 4.4 installation, I couldn't rely on
the default slice values. They assume that /usr is going to be large
(since it would on a system where you might install a lot of programs). I
had to do some calculations and experimentation on the minimum /usr size I
could get away with for installing only snort and mysql, while leaving the
rest of the drive for /var. I've managed to handle quite a number of
alerts on a 3-gig drive.
UCSB Extended Learning Services
More information about the Snort-users