[Snort-users] Manually deleting alerts from snort and acid database
Jacob, Raymond A Jr
raymond.jacob at ...7622...
Thu Jul 22 15:18:24 EDT 2004
I have started playing with snortslinger and I am starting to like the ability to write my on sql queries.
I think I am ready for the next step that is deleting alerts that I am not interested in but my supervisor is.
For example: Deleting SHELLCODE x86 inc ebx NOOP (1390) alerts where Destination port is 80
Select sig_id from signature where sig_sid= 1390;
SET SIG_ID = <result>;
Delete event, iphdr, data,tcphdr,udphdr,icmphdr,opt,acid_ag_alert,acid_ag;
from event, iphdr, data,tcphdr,udphdr,icmphdr,opt,acid_ag_alert,acid_ag;
where event.id=SIG_ID and event.cid= iphdr.cid and event.cid= data.cid and
event.cid= tcphdr.cid and event.cid= updphdr.cid; event.cid= icmphdr.cid and
event.cid= opt.cid and event.cid= acid_ag_alert.cid and acid_ag_alert.ag_id = acid_ag.ag_id;
<pray to the deity of your choice>
My assumptions are that if the Signature does not exist in a table no errors will be raised
mysql will go to the next logic statement.
Question: Has anyone tried this?
Based on the queries I have executed so far. This will take for ever depending on the size of
Question: Should I analyze my queries or optimize tables to get them to work as efficiently as possible before I attempt this?
(should I use myisamchk -a or EXPLAIN, ANALYZE event, ANALYZE iphdr,.... every two(2)days ?
or should I (RTFM)buy:
High Performance MySQL (Orielly)
Optimization, Backups, Replication, Load Balancing & More
By Jeremy Zawodny, Derek J. Balling
294 pages, $39.95 US, $57.95 CA, £28.50 UK ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users