[Snort-users] Snort DB clean up ACID/BASE

Amm Snort ammdispose-snort at ...131...
Wed Sep 26 02:38:47 EDT 2012


Hello all,

Just wanted to share clean up schema which should be added in
basic schema. I know snort no longer uses DB but I am still sharing
here as many people (like me) still come here looking for solution.

Idea is that deletion from other tables should be automatic once
the sid/cid is deleted from "event" table.

This way you dont have to write big cleanup script. And also you
can simply run SQL command manually:
For eg:
delete from event where timestamp<SOMEDATE;

Rest will be taken care by following rule.

This is for PostgreSQL, may be similar rule can be written for
other DBs.

-- this would go in snort schema file create_postgresql
create rule event_deleted as on delete to event do (
    delete from iphdr where sid=old.sid and cid=old.cid;
    delete from tcphdr where sid=old.sid and cid=old.cid;
    delete from udphdr where sid=old.sid and cid=old.cid;
    delete from icmphdr where sid=old.sid and cid=old.cid;
    delete from opt where sid=old.sid and cid=old.cid;
    delete from data where sid=old.sid and cid=old.cid;
    );

-- this would go in base schema file create_base_tbls_pgsql.sql
create rule acid_event_deleted as on delete to event do (
    delete from acid_event where sid=old.sid and cid=old.cid;
    delete from acid_ag_alert where ag_sid=old.sid and ag_cid=old.cid;
    );

Hope it helps someone.


AMM.





More information about the Snort-users mailing list