[Snort-users] BASE/snort question

John Newman jnn at ...13788...
Thu May 25 06:40:02 EDT 2006


I posted this to a BASE list, but I'm looking for feedback quickly, so I
was wondering if anyone would care to give me a quick sanity check on
this little bitty script I hacked together to, basically, reduce the
size of my snort/BASE database, based on a cutoff date where I want to
delete events.   Here is the code - thanks for any feedback!  (obviously
its quite rough, written quite quickly, I'm just trying to make sure the
idea is sane and that I'm hitting the right tables).

#!/usr/local/bin/perl -w

use DBI;
use Getopt::Std;

$| = 1;
my $verbose = 1;

my @tables = qw(acid_event data event icmphdr iphdr udphdr);

sub initDB($$$$)
	my ($host,$user,$pass,$db) = @_;

	return DBI->connect("dbi:mysql:database=$db;host=$host", $user, $pass);

sub get_cid($$)
	my($dbh, $date) = @_;
	my $sth = $dbh->prepare("SELECT cid from event where timestamp > '$date' limit 1");
	$sth->execute or
		die "Unable to grab cid for date $date: $dbh->errstr\n";
	return $sth->fetchrow_hashref->{cid};

getopt('u:p:h:d:c:', \%opts);  # -u dbuser, -p dbpass, -h dbhost, -d dbname, 
							   # -c cutoffdate  u and d all have obvious 
							   # defaults, the others need to be specified

$db   = length($opts{d}) ? $opts{d} : "snort";   # default to snort
$user = length($opts{u}) ? $opts{u} : "snort";   # default to snort.. again!

if (!length($opts{p}) or !length($opts{h}) or !length($opts{c})) {
	print STDERR "Usage: $0 -u dbuser -p dbpass -h dbhost -d dbname -c cutoffdate (e.g. 2006-05-15)\n";
$pass   = $opts{p}; 
$cutoff = $opts{c};
$host   = $opts{h};

my $handle = initDB($host, $user, $pass, $db)  or
	die("Database error: " . DBI->errstr);

my $cid = &get_cid($handle, $cutoff);    
print "Cid = $cid\n"            if $verbose;

my $sth;
foreach my $table (@tables) {
	$sth = $handle->prepare("DELETE from $table WHERE cid < $cid");
	$sth->execute or
		die "Unable to execute deletion: $handle->errstr\n";

John Newman
Systems Administrator, WebXess Inc.

More information about the Snort-users mailing list