Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 300,000 alerts in Database from spp_asn1

From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Mon, 28 Oct 2002 10:21:57 -0500
I have been seeing alot of this kind of traffic coming from an HP openview
box.

I have attached a file, that require perl and the mysql modules for perl ,
You may need to tweek it a little since it designed for removing false
positives on normal rules not spp events.

I have another one that does deletes based on signature name, but it is
written for perl on windows and the code is messy

Ian
----- Original Message -----
From: "Nicholas Bachmann" <nbachmann () mail davison k12 mi us>
To: <snort-users () lists sourceforge net>
Sent: Friday, October 25, 2002 6:10 PM
Subject: [Snort-users] 300,000 alerts in Database from spp_asn1



    Through some weirdness, spp_asn1 on Snort 1.9 has flooded my
PostgreSQL database with over 300,000 alerts (which seem to be
false-positive, or at least not malicious), which has not made the DB
very happy :-).  The actual probem is peripheral to my actual question,
but I'm sure somebody is interested; I will provide details on or off

list.

    My questions is this: how does one go about deleting those 300,000
alerts.  Just doing a delete in ACID doesn't cut it; I left it deleting
over a weekend and that didn't work (probably timed out) and while
deleting no alerts are able to be added to the database, and I can't
check it anyway (transaction block?).
    Any ideas?

--
Regards,
Nick

Nicholas Bachmann, SSCP
Tech Department
Davison Community Schools






-------------------------------------------------------
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Attachment: snort-purge-clean.pl
Description:

Previous By Date Next
Previous By Thread Next

Current thread: