[Snort-users] Acid database lost events, help!!!

Brei, Matt mbrei at ...8727...
Wed May 21 09:17:12 EDT 2003

So my alerts are gone?  If I run optimize table it looks like it will
just reclaim that space.

Matt Brei

-----Original Message-----
From: Tinsley Paul [mailto:Paul.Tinsley at ...9244...] 
Sent: Wednesday, May 21, 2003 11:25 AM
To: Brei, Matt; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Acid database lost events, help!!!

Looking at the size of the database isn't a good telling sign of how
data you have in a MySQL database.  When records are deleted the space
not reclaimed unless you specifically reclaim it.  From MySQL docs:
records are maintained in a linked list and subsequent INSERT operations
reuse old record positions."

See http://www.mysql.com/doc/en/OPTIMIZE_TABLE.html for more information
the subject.

One thing that you have to be careful with in reference to ACID is the
timeout you have set for PHP.  If it's in the middle of an operation and
decides the task has been running too long, it will give your process
axe.  If the code isn't written with that in mind it could easily
your data :( 

-----Original Message-----
From: Brei, Matt [mailto:mbrei at ...8727...]
Sent: Wednesday, May 21, 2003 9:46 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Acid database lost events, help!!!

I have been running snort for about 4 months.  The Snort db had about
alerts and the archive db had about 19000.  I moved all of the alerts
April to the archive db, ACID said it successfully moved 8000 alerts,
SHOULD leave me with about 4000 in the main db and 27000 in the archive
The archive db only has about 20000 and the main db is now empty.  The
strange thing is, in the mysql db directory, none of the main Snort db
sizes got any smaller and the archive files grew in size.  What happened
the alerts?

Snort 1.9.1 on Redhat 7.2 alerts to
ACID v0.9.6b23, MySQL 3.23.56, Apache 2.0.45 on RedHat 8

Matt Brei

More information about the Snort-users mailing list