[Snort-users] Snorting ACID and DB maintenance

Robby rdesmond at ...6547...
Mon Aug 26 08:32:43 EDT 2002


At 09:21 AM 8/23/02 -0600, you wrote:
>Hey Now,
>I have ACID installed and lo and behold, less than a day and 1000 events
>in both 'event' and 'acid_event' tables.

Plain vanilla IDS installs are not to be used. I'm new at this too so I 
freaked, then realized that an untuned ruleset is my own worst enemy. Read 
some papers. Take some advice.  Tune your rules.  Then consider a 
production use.

>By my modest predictions, this will be a !#@$&! of data toot sweet.

Yes. Yes it will.

>Other than going into ACID and manually selecting false positives and
>deleting them, are there other thoughts on how to keep from choking on
>the DB size?

1- Don't underestimate the power of deleting false positives while you're 
still tuning the rules.

2- Make sure the disk-slice/partition you are mounting /var/db on is large.

>Not sure if this an ACID question or a MYSQL question. Probably more
>MYSQL, although I know even less about MYSQL than I do about ACID after
>a whole day of experimentation.
>
>Such as,
>
>1) can I limit the size of the MYSQL database?

Don't know myself. Probably.

>2) Can I do something as bone simple as 'delete from (event, acid_event)
>where timestamp < "some timestamp";'?

Yes. Yes you can. That is a valid SQL query, but you may want to check out 
the database schema documentation on snort.org before you go deleting 
records to make sure you are getting what you want.

>Any ideas or good general practices out there?

I discovered early on that in my FBSD 4.4 installation, I couldn't rely on 
the default slice values.  They assume that /usr is going to be large 
(since it would on a system where you might install a lot of programs).  I 
had to do some calculations and experimentation on the minimum /usr size I 
could get away with for installing only snort and mysql, while leaving the 
rest of the drive for /var.  I've managed to handle quite a number of 
alerts on a 3-gig drive.
-Robby


Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906





More information about the Snort-users mailing list