[Snort-users] How can I remove redundant entries from the database?

Y M snort at ...15979...
Tue Nov 11 15:40:22 EST 2014

> From: Avery.Rozar at ...16118...
> To: snort-users at lists.sourceforge.net
> Date: Mon, 10 Nov 2014 17:37:06 +0000
> Subject: [Snort-users] How can I remove redundant entries from the database?
> I’m using Barnyard2 to send alerts to a PostgreSQL database. As you all know one alert could actually be hundreds, or even thousands of events in the database. Is there a script available that removes redundant alerts from the database based on iphdr.ip_src, iphdr.ip_dst and event.sid, event.signature and leaves the original based on event.cid?

I do not know of any "direct" method. The problem stems (in my opinion) from the fact that referential integrity is not enforced into the database schema, due to performance preference, i.e., referential integrity makes insertions a bit slower while increasing the performance of deletions and vice versa. In this case insertions are more important than deletions.
The last time I tried to do that was a while back and I ended up with a pretty long SQL query that did not even complete after 24 hours, eventually I gave up on it and used the archive database to have historical data while the "live" database was fully truncated periodically.
> Thanks,
> Avery
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141111/144994df/attachment.html>

More information about the Snort-users mailing list