[Snort-users] [Snort-devel] Snort DB clean up ACID/BASE

Joel Esler jesler at ...1935...
Wed Sep 26 09:25:44 EDT 2012


Just to clear things up, Snort DOES use the DB.  We just don't output directly to the db anymore.  We output to unified2.  Barnyard2 handles the db part.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 26, 2012, at 2:38 AM, Amm Snort <ammdispose-snort at ...131...> wrote:

> Hello all,
> 
> Just wanted to share clean up schema which should be added in
> basic schema. I know snort no longer uses DB but I am still sharing
> here as many people (like me) still come here looking for solution.
> 
> Idea is that deletion from other tables should be automatic once
> the sid/cid is deleted from "event" table.
> 
> This way you dont have to write big cleanup script. And also you
> can simply run SQL command manually:
> For eg:
> delete from event where timestamp<SOMEDATE;
> 
> Rest will be taken care by following rule.
> 
> This is for PostgreSQL, may be similar rule can be written for
> other DBs.
> 
> -- this would go in snort schema file create_postgresql
> create rule event_deleted as on delete to event do (
>     delete from iphdr where sid=old.sid and cid=old.cid;
>     delete from tcphdr where sid=old.sid and cid=old.cid;
>     delete from udphdr where sid=old.sid and cid=old.cid;
>     delete from icmphdr where sid=old.sid and cid=old.cid;
>     delete from opt where sid=old.sid and cid=old.cid;
>     delete from data where sid=old.sid and cid=old.cid;
>     );
> 
> -- this would go in base schema file create_base_tbls_pgsql.sql
> create rule acid_event_deleted as on delete to event do (
>     delete from acid_event where sid=old.sid and cid=old.cid;
>     delete from acid_ag_alert where ag_sid=old.sid and ag_cid=old.cid;
>     );
> 
> Hope it helps someone.
> 
> 
> AMM.
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120926/714af872/attachment.html>


More information about the Snort-users mailing list