[Snort-users] Acid database lost events, help!!!

Tinsley Paul Paul.Tinsley at ...9244...
Wed May 21 08:59:58 EDT 2003


This should tell you how many events you have in your database: mysql
-usnort_user -psnort_password snort_database -e "select count(*) from event"

If the number isn't what you want to see then you are probably missing your
events :(

-----Original Message-----
From: Brei, Matt [mailto:mbrei at ...8727...]
Sent: Wednesday, May 21, 2003 10:35 AM
To: Tinsley Paul; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Acid database lost events, help!!!


So my alerts are gone?  If I run optimize table it looks like it will
just reclaim that space.

Matt Brei


-----Original Message-----
From: Tinsley Paul [mailto:Paul.Tinsley at ...9244...] 
Sent: Wednesday, May 21, 2003 11:25 AM
To: Brei, Matt; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Acid database lost events, help!!!

Looking at the size of the database isn't a good telling sign of how
much
data you have in a MySQL database.  When records are deleted the space
is
not reclaimed unless you specifically reclaim it.  From MySQL docs:
"Deleted
records are maintained in a linked list and subsequent INSERT operations
reuse old record positions."

See http://www.mysql.com/doc/en/OPTIMIZE_TABLE.html for more information
on
the subject.

One thing that you have to be careful with in reference to ACID is the
timeout you have set for PHP.  If it's in the middle of an operation and
PHP
decides the task has been running too long, it will give your process
the
axe.  If the code isn't written with that in mind it could easily
corrupt
your data :( 

-----Original Message-----
From: Brei, Matt [mailto:mbrei at ...8727...]
Sent: Wednesday, May 21, 2003 9:46 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Acid database lost events, help!!!


I have been running snort for about 4 months.  The Snort db had about
12000
alerts and the archive db had about 19000.  I moved all of the alerts
from
April to the archive db, ACID said it successfully moved 8000 alerts,
which
SHOULD leave me with about 4000 in the main db and 27000 in the archive
db.
The archive db only has about 20000 and the main db is now empty.  The
strange thing is, in the mysql db directory, none of the main Snort db
file
sizes got any smaller and the archive files grew in size.  What happened
to
the alerts?

Snort 1.9.1 on Redhat 7.2 alerts to
ACID v0.9.6b23, MySQL 3.23.56, Apache 2.0.45 on RedHat 8

Matt Brei




More information about the Snort-users mailing list