[Snort-users] Script to purge snort and acid databases?

Paul Schmehl pauls at ...6838...
Tue Sep 5 12:33:59 EDT 2006


--On Tuesday, September 05, 2006 11:34:56 -0400 "Jacob, Raymond A Jr" 
<raymond.jacob at ...7622...> wrote:
>
> I am running base "1.2.2 (cindy)"  I want to start  fresh without having
> to recreate the tables.
> Is there a script that will purge the relevant tables?
>
> Doing an ls -last *.MYD
> 4543712 -rw-rw----  1 mysql  mysql  4650467248 Jul 17 17:25 data.MYD
> 1386304 -rw-rw----  1 mysql  mysql  1418840624 Jul 14 16:20
> acid_event.MYD
>  301792 -rw-rw----  1 mysql  mysql   308848764 Jul 14 16:19 event.MYD
>  459856 -rw-rw----  1 mysql  mysql   470626688 Jul 14 16:19 iphdr.MYD
>   21280 -rw-rw----  1 mysql  mysql    21759711 Jul 14 16:19 udphdr.MYD
>  175088 -rw-rw----  1 mysql  mysql   179167726 Jul 14 01:08 icmphdr.MYD
>   84208 -rw-rw----  1 mysql  mysql    86161620 Jul 13 21:44 tcphdr.MYD
>   14608 -rw-rw----  1 mysql  mysql    14930292 Jul 13 21:43 opt.MYD
>      16 -rw-rw----  1 mysql  mysql       15448 Jul 12 11:20 signature.MYD
>       8 -rw-rw----  1 mysql  mysql        6929 Jul  4 22:57
> sig_reference.MYD
>      12 -rw-rw----  1 mysql  mysql       11088 Jul  4 22:56 reference.MYD
>       2 -rw-rw----  1 mysql  mysql         556 Jun  5 18:59 sig_class.MYD
>       2 -rw-rw----  1 mysql  mysql         160 Apr 21 12:29
> reference_system.MYD
>       6 -rw-rw----  1 mysql  mysql        4836 Apr 18 18:30
> acid_ip_cache.MYD
>       2 -rw-rw----  1 mysql  mysql          84 Mar  2  2006 sensor.MYD
>       0 -rw-rw----  1 mysql  mysql           0 Mar  2  2006 acid_ag.MYD
>       0 -rw-rw----  1 mysql  mysql           0 Mar  2  2006
> acid_ag_alert.MYD
>       0 -rw-rw----  1 mysql  mysql           0 Mar  2  2006
> base_roles.MYD
>       0 -rw-rw----  1 mysql  mysql           0 Mar  2  2006
> base_users.MYD
>       2 -rw-rw----  1 mysql  mysql          40 Mar  2  2006 detail.MYD
>       2 -rw-rw----  1 mysql  mysql          60 Mar  2  2006 encoding.MYD
>       2 -rw-rw----  1 mysql  mysql          13 Mar  2  2006 schema.MYD
>
> So my guess is that I can run
>  echo "TRUNCATE TABLE data;                " | mysql -u need_help -p now
>  echo "TRUNCATE TABLE acid_event ; " | mysql -u need_help -p now
>  echo "TRUNCATE TABLE event;           " | mysql -u need_help -p now
>  echo "TRUNCATE TABLE iphdr;           " | mysql -u need_help -p now
>  echo "TRUNCATE TABLE udphdr;         " | mysql -u need_help -p now
>  echo "TRUNCATE TABLE icmphdr;       " | mysql -u need_help -p now
>  echo "TRUNCATE TABLE tcphdr;         " | mysql -u need_help -p now
>  echo "TRUNCATE TABLE opt;               " | mysql -u need_help -p now
>
> And restart the sensors.
> Is there anything else that I need to do?
>
First of all, the acid/base tables are "recreations" of what's in the snort 
db, so you can drop them at any time, and BASE will recreate the data in 
them.

Secondly, I would be careful about using TRUNCATE.  I'd use DELETE FROM 
TABLE 'tablename' instead.  TRUNCATE is not transaction-safe.  (However, 
TRUNCATE is mapped to DELETE FROM prior to mysql 5.0.3, so there's no 
difference between the two in earlier versions.)

Finally, if you just want to keep a certain number of days in the database 
(rather than deleting everything) in order to keep its size down to a 
workable level, you may want to try my archvie script: 
http://www.ntsug.org/downloads.html

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 4085 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060905/23660f11/attachment.bin>


More information about the Snort-users mailing list