[Snort-users] Manually deleting alerts from snort and acid database

Jacob, Raymond A Jr raymond.jacob at ...7622...
Thu Jul 22 15:18:24 EDT 2004


I have started playing with snortslinger and I am starting to like the ability to write my on sql queries.
I think I am ready for the next step that is deleting alerts that I am not interested in but my supervisor is.

For example: Deleting SHELLCODE x86 inc ebx NOOP (1390) alerts where Destination port is 80

Process:
Select sig_id from signature where sig_sid= 1390;

SET SIG_ID = <result>;

Delete event, iphdr, data,tcphdr,udphdr,icmphdr,opt,acid_ag_alert,acid_ag;
from event, iphdr, data,tcphdr,udphdr,icmphdr,opt,acid_ag_alert,acid_ag;
where event.id=SIG_ID and event.cid= iphdr.cid and event.cid= data.cid and
event.cid= tcphdr.cid and event.cid=  updphdr.cid; event.cid= icmphdr.cid and
event.cid= opt.cid and event.cid= acid_ag_alert.cid and acid_ag_alert.ag_id = acid_ag.ag_id;

<pray to the deity of your choice>
My assumptions are that if the Signature does not exist in a table no errors will be raised
mysql will go to the next logic statement. 

Question: Has anyone tried this?
Based on the queries I have executed so far. This will take for ever depending on the size of
my database.
Question: Should I analyze my queries or optimize tables to get them to work as efficiently as possible before I attempt this?
    (should I use myisamchk -a or EXPLAIN,  ANALYZE event, ANALYZE iphdr,.... every two(2)days ?
     or should I (RTFM)buy:
        High Performance MySQL (Orielly)
        Optimization, Backups, Replication, Load Balancing & More 
        By Jeremy Zawodny, Derek J. Balling
        April 2004 
        ISBN: 0-596-00306-4
        294 pages, $39.95 US, $57.95 CA, £28.50 UK ?
      )

Thank you,
Raymond



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040722/60616148/attachment.html>


More information about the Snort-users mailing list