[Snort-users] For those of you

sekure sekure at ...11827...
Tue Jul 27 08:25:27 EDT 2004


Joel,

It's true that your script will trim the list of events returned by
ACID and other GUIs, but it will not do much in terms of speeding up
the searches or shrinking the database size.  You are just removing
entries from the event table, and as a result leaving a lot of
orphaned events in iphdr, tcphdr, udphdr, icmphdr, and data tables. 
And that's just in the default snort database.  I am sure there are
equivalents in the tables that ACID creates.  Whenever ACID does a
join with one of those tables, it'll still have to search through all
those cids, even though they don't have an entry in the event table.

On Tue, 27 Jul 2004 10:48:46 -0400, Esler, Joel - Contractor
<joel.esler at ...9426...> wrote:
> Someone emailed me today offline in response to the mysql I had, well,
> instead of messing with it I wrote a php script (yes) that cleans out
> whatever database you have whenever you want it to do it.  (by changing
> the interval).
> 
> It's not rocket science, but I figure I'll put it out there for people
> that don't want to reinvent the wheel.  Run it once a day through your
> crontab.
> 
> -------------begin cut----------------
> #!/bin/php -q
> <?php
> //define mysql connection settings
> define('HOST', 'localhost');
> define('USER', 'user');
> define('PASS', 'password');
> define('DB', 'dbname');
> 
> mysql_connect(HOST, USER, PASS)
> or die("Couldnt connect to database");
> mysql_select_db(DB)
> or die("Couldnt select database");
> 
> //This delete query will purge all logs that are older than 30 days
> $delete = mysql_query("DELETE FROM event WHERE timestamp <
> CURRENT_DATE() - INTERVAL 30 DAY")
> or die(mysql_error());
> $delete = mysql_query("DELETE FROM acid_event WHERE timestamp <
> CURRENT_DATE() - INTERVAL 30 DAY;")
> or die(mysql_error());
> ?>
> ----------end cut-----------------
> 
> Okay, well how about all those tcpdump binaries I have that I want to
> keep but don't want taking up a bunch of space?
> This is REALLY not rocket science...
> 
> -----------begin cut-------------
> 
> #!/bin/sh
> 
> find /path/to/your/snort/logs/* -mtime 1 -exec gzip {} \;
> 
> #If you want them to just be deleted after one year too...
> 
> find /path/to/your/snort/logs/* -mtime 365 -exec rm -rf {} \;
> 
> --------------end cut--------------
> 
> Execute that script once an hour.  Like I said, it's not brain surgery,
> just thought these command could be useful to everyone besides the guy
> that emailed me.
> 
> J
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list