[Snort-users] Finding alerts taking up the most database space

McCash, John John.McCash at ...10979...
Fri Sep 10 12:37:03 EDT 2004


Sekure,
	No. I'm already doing that (through ACID). Unfortunately, the
alerts that are showing up in the greatest numbers appear to be only
about 20% of my problem. The real issue here appears to be that variable
amounts of packet capture are stored for many events, and there's no
index for the size of the packet capture record for a given event (or so
I believe...).
		Thanks anyway
			John

-----Original Message-----
From: sekure [mailto:sekure at ...11827...] 
Sent: Friday, September 10, 2004 11:41 AM
To: McCash, John
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Finding alerts taking up the most database
space

Well you can do something like:
select count(signature) as num, signature 
from event 
group by signature 
order by num desc 
limit 10;

This should give you the top 10 alerts in the event table.  Keep in
mind though, that those may not necessarily be the ones that take up
the most disk space, since they may have a completely empty "data"
record associated with them.

Then you can look up the signature in the signature table.

Is this what you were looking for?


----- Original Message -----
From: McCash, John <john.mccash at ...10979...>
Date: Fri, 10 Sep 2004 11:20:47 -0500
Subject: [Snort-users] Finding alerts taking up the most database space
To: snort-users at lists.sourceforge.net




Hi,

               I currently am running snort and acid with mysql, and
my database size is getting up around 6G. The data table, data.MYD
alone is about 3.3G. As you may imagine, my db performance is lousy.
Does anyone have an easy way of determining which alerts are taking up
the greatest amount of db space, so that I can selectively prune those
entries?

                              Thanks in advance

                                             John McCash
------------------------------------------------------------------------
------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information. 
If you have received it in error, please notify the sender
immediately and delete the original. Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------
------------------------
[mf2]

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]




More information about the Snort-users mailing list