Snort mailing list archives
RE: a user experience w/ Snort, ACID & (Postgre|My) SQL
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Thu, 04 Oct 2001 09:43:33 -0700
I created three custom (very dumb) shell scripts that are run by cron. One moves the tables (literally performs a mv on the directory that holds the snort db) and then creates a new empty database with the mysql_create script (v1.04). A second script fires off my custom php page to get the statistics for that week (tcp, udp, icmp, portscan and total alerts <- similar to the graph from the top of ACID). The third and final script takes the archive and tars it up to a different directory for long term storage. All three scripts are totally dumb (no error handling or correction involved) #!/bin/bash # Snort Move script. Moves the database from live to archive status, then creates the new tables. PATH=/bin:/usr/bin /bin/echo "Starting move of SQL to Archive `/bin/date +%c`" >> /home/hellgate/bin/stats.log /etc/rc.d/init.d/mysql stop cd /var/lib/mysql/snort /bin/mv -f * /var/lib/mysql/snort_archive /etc/rc.d/init.d/mysql start sleep 60 /bin/echo "Creating Snort tables `/bin/date +%c`" >> /home/hellgate/bin/stats.log /usr/bin/mysql -u root -p<password> snort < /home/hellgate/bin/create_mysql /bin/echo "Finished Snort tables `/bin/date +%c`" >> /home/hellgate/bin/stats.log /bin/echo "Finished move of SQL to Archive `/bin/date +%c`" >> /home/hellgate/bin/stats.log #!/bin/bash # Calls my custom php which borrows code from ACID to create a chart for that weeks data PATH=/usr/bin:/bin echo "Started Snortstats `/bin/date +%c`" >> /home/hellgate/bin/stats.log cd /home/httpd/html/php/ /usr/bin/wget -T 0 -O index.html <url of web server and page> /bin/mv -f index.html index`/bin/date +%m-%d-%y`.html echo "<A HREF=\"index`/bin/date +%m-%d-%y`.html\">Stats for week of `/bin/date +%m-%d-%Y`</A><BR>" >> snortstats.html chmod 644 /home/httpd/html/php/* echo "Finished Snortstats `/bin/date +%c`" >> /home/hellgate/bin/stats.log #!/bin/bash # Snort Archive tars up the archive data so that it can be put into "cold storage" unless needed. PATH=/bin:/usr/bin /bin/echo "Starting archive of SQL in Snort Archive `/bin/date +%c`" >> /home/hellgate/bin/stats.log cd /var/lib/mysql/snort_archive /bin/tar -cf /var/lib/mysql/archives/snort_archive-`date +%V-%Y`.tar /var/lib/mysql/snort_archive/* /bin/echo "Finished archive of SQL in Snort Archive `/bin/date +%c`" >> /home/hellgate/bin/stats.log
-----Original Message----- From: Jason Lewis [mailto:jlewis () packetnexus com] Sent: Wednesday, October 03, 2001 09:59 To: 'Kevin Brown'; 'Snort Users' Subject: RE: [Snort-users] a user experience w/ Snort, ACID & (Postgre|My) SQL How are you doing the rotation? <snip> We have since switched back to Mysql and I have the database rotated out once a week to prevent it from growing too large. Switching back also fixed the timestamp issues, so I can only assume that the problem is with the db output plugin and postgres. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: a user experience w/ Snort, ACID & (Postgre|My) SQL Fraser Hugh (Oct 03)
- <Possible follow-ups>
- RE: a user experience w/ Snort, ACID & (Postgre|My) SQL Kevin Brown (Oct 03)
- RE: a user experience w/ Snort, ACID & (Postgre|My) SQL Jason Lewis (Oct 03)
- Re: a user experience w/ Snort, ACID & (Postgre|My) SQL Matt Watchinski (Oct 03)
- RE: a user experience w/ Snort, ACID & (Postgre|My) SQL Kevin Brown (Oct 04)