[Snort-users] BASE/snort question

Jeff Dell jdell at ...1095...
Thu May 25 07:17:01 EDT 2006


You are going to have to remove rows from a few other tables as well..
Checkout:

http://www.ntsug.org/downloads.html

Jeff

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> John Newman
> Sent: Thursday, May 25, 2006 9:39 AM
> To: snort-users at lists.sourceforge.net; 
> snort-devel at lists.sourceforge.net
> Subject: [Snort-users] BASE/snort question
> 
> Hello,
> 
> I posted this to a BASE list, but I'm looking for feedback 
> quickly, so I
> was wondering if anyone would care to give me a quick sanity check on
> this little bitty script I hacked together to, basically, reduce the
> size of my snort/BASE database, based on a cutoff date where I want to
> delete events.   Here is the code - thanks for any feedback!  
> (obviously
> its quite rough, written quite quickly, I'm just trying to 
> make sure the
> idea is sane and that I'm hitting the right tables).
> 
> 
> #!/usr/local/bin/perl -w
> 
> use DBI;
> use Getopt::Std;
> 
> $| = 1;
> my $verbose = 1;
> 
> my @tables = qw(acid_event data event icmphdr iphdr udphdr);
> 
> sub initDB($$$$)
> {
> 	my ($host,$user,$pass,$db) = @_;
> 
> 	return 
> DBI->connect("dbi:mysql:database=$db;host=$host", $user, $pass);
> }
> 
> sub get_cid($$)
> {
> 	my($dbh, $date) = @_;
> 	my $sth = $dbh->prepare("SELECT cid from event where 
> timestamp > '$date' limit 1");
> 	$sth->execute or
> 		die "Unable to grab cid for date $date: $dbh->errstr\n";
> 	return $sth->fetchrow_hashref->{cid};
> }
> 
> getopt('u:p:h:d:c:', \%opts);  # -u dbuser, -p dbpass, -h 
> dbhost, -d dbname, 
> 							   # -c 
> cutoffdate  u and d all have obvious 
> 							   # 
> defaults, the others need to be specified
> 
> $db   = length($opts{d}) ? $opts{d} : "snort";   # default to snort
> $user = length($opts{u}) ? $opts{u} : "snort";   # default to 
> snort.. again!
> 
> if (!length($opts{p}) or !length($opts{h}) or !length($opts{c})) {
> 	print STDERR "Usage: $0 -u dbuser -p dbpass -h dbhost 
> -d dbname -c cutoffdate (e.g. 2006-05-15)\n";
> 	exit(1);
> }
> $pass   = $opts{p}; 
> $cutoff = $opts{c};
> $host   = $opts{h};
> 
> my $handle = initDB($host, $user, $pass, $db)  or
> 	die("Database error: " . DBI->errstr);
> 
> my $cid = &get_cid($handle, $cutoff);    
> print "Cid = $cid\n"            if $verbose;
> 
> my $sth;
> foreach my $table (@tables) {
> 	$sth = $handle->prepare("DELETE from $table WHERE cid < $cid");
> 	$sth->execute or
> 		die "Unable to execute deletion: $handle->errstr\n";
> }
> 
> 
> -- 
> John Newman
> Systems Administrator, WebXess Inc.
> 
> 
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost 
> and Risk!
> Fully trained technicians. The highest number of Red Hat 
> certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&
> dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list