[Snort-users] Snort, Mysql purging

Frank Knobbe frank at ...9761...
Wed Dec 10 18:44:02 EST 2003


On Wed, 2003-12-10 at 17:36, Josh Berry wrote:
> I HIGHLY suggest NOT deleting the information.  I suggest having a
> secondary archive db that you move stuff like Welchia too when you think
> you don't need it anymore. 

I guess that all depends on your or your company's policy. You can dump
certain data. I routinely dump the contents of the DATA table for
certain signatures after a period of time. I don't see a reason to keep
the same exact content for, say, the SQL-Slammer in the DB. Other
content (IPHDR and friends) is archived. But certain ballast is dumped.

You need to consider the usefulness of the data. Will you ever go back
to data from IPHDR for an event that occurred a year ago?

Perhaps this thread can evolve into a DB/data retention policy thread.
To yell categorically "yes" or "no' is wrong. The correct answer is
"depends" :)

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031210/b6999b2e/attachment.sig>


More information about the Snort-users mailing list