[Snort-users] Many Events in new SNORT box

sekure sekure at ...11827...
Thu Aug 12 06:31:01 EDT 2004


I hate when that happens...  This is why whenever I set up a new
sensor, i run it for about a weeks or so logging to text, pcap and
unified files, without processing those unified files into the
database. (For the purists, i know i can just log to unified and then
process those into pcap and alert files, it's just easier for me this
way) That gives me a chance to tweak the rulebase without flooding my
database with millions of events.  At the end of the week I can
post-process the unified files into the database if they are fine, or
just delete them.

Anyways, a few times i had to delete around 500K events from my
database, and here is the script i came up with.  I am warning you,
it's not the best way to do things, since I am deleting each event
individually, but I found that this way it doesn't lock the database
and I can still log events while this script is running.

Basically, every event in the database is identified by a combination
of sensor_id (sid) and event_id (cid).  See where it says "select sid,
cid from YOUR QUERY HERE" in the script?  Replace the "YOUR QUERY
HERE" with the query that returns the events that you want to delete. 
MAKE SURE TO TEST IT FIRST to make sure it only returns the events you
want deleted.

#!/bin/php -q
<?php
$db_server = 'localhost';
$db_user = 'user';
$db_pwd = 'password';
$db_name = 'database';
$db_link = @mysql_connect($db_server, $db_user, $db_pwd) or
exit('Could not connect: ' . mysql_error());
$db = @mysql_select_db($db_name, $db_link) or exit('Could not select
database: ' . mysql_error());
$select =mysql_query("select sid, cid from YOUR QUERY HERE") or
die(mysql_error());
while($row=mysql_fetch_object($select)) {
        echo "Deleting sid: ". $row->sid . " cid: " . $row->cid . "\n";
        $delete=mysql_query("Delete from data where cid='$row->cid'
and sid='$row->sid'") or die(mysql_error());
        $dquery=mysql_fetch_row($delete);
        $delete=mysql_query("Delete from iphdr where cid='$row->cid'
and sid='$row->sid'") or die(mysql_error());
        $dquery=mysql_fetch_row($delete);
        $delete=mysql_query("Delete from tcphdr where cid='$row->cid'
and sid='$row->sid'") or die(mysql_error());
        $dquery=mysql_fetch_row($delete);
        $delete=mysql_query("Delete from udphdr where cid='$row->cid'
and sid='$row->sid'") or die(mysql_error());
        $dquery=mysql_fetch_row($delete);
        $delete=mysql_query("Delete from icmphdr where cid='$row->cid'
and sid='$row->sid'") or die(mysql_error());
        $dquery=mysql_fetch_row($delete);
        $delete=mysql_query("Delete from event where cid='$row->cid'
and sid='$row->sid'") or die(mysql_error());
        $dquery=mysql_fetch_row($delete);
}

----- Original Message -----
From: Postiglione, Jon <jon.postiglione at ...12254...>
Date: Wed, 11 Aug 2004 22:24:35 -0400
Subject: [Snort-users] Many Events in new SNORT box
To: snort-users at lists.sourceforge.net




Hello,

 

I just recently configure and new snort box and before I could setup
the events that I wanted to keep and the ones I wanted to delete I had
over 5 million events (We run a really chatty network). Well, anyway I
need to delete all of the events in SNORT but it will not let me
because there are too many off them (it times out). I do not know much
about MySQL or SNORT, is there an easy way to delete all of the events
(besides rebuilding the box)?

 

Thanks from a NewBie!

 

 

Regards,

 

Jon Postiglione

 This email and any files transmitted with it may contain PRIVILEGED
or CONFIDENTIAL information and may be read or used only by the
intended recipient. If you are not the intended recipient of the email
or any of its attachments, please be advised that you have received
this email in error and that any use, dissemination, distribution,
forwarding, printing, or copying of this email or any attached files
is strictly prohibited. If you have received this email in error,
please immediately purge it and all attachments and notify the sender
by reply email or contact the sender at the number listed.




More information about the Snort-users mailing list