Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort database archive script

From: Paul Schmehl <pauls () utdallas edu>
Date: 19 Mar 2003 16:24:21 -0600
I've written a snort (mysql) database archive script using Perl DBI. 
It's working fine for me on FreeBSD, but if anyone is adventurous and
wants to try it out, email me privately.  (Please don't respond to the
list.)

This script is not written for "general consumption".  IOW, it doesn't
have a conf file and a "user friendly" interface and it doesn't take
commandline arguments, but if you understand the basics of Perl and
databases, you shouldn't have much problem figuring it out.

It's designed to run through cron and archive nightly.  You can pick an
arbitrary date to archive from or an arbitrary number of days prior to
the current date.

The script will grab all the event-specific table data prior to a
certain timestamp, write them to the archive database and then delete
the rows from the "live" database.  It also writes the unique signature
events (primarily any new "static" ones and all the spp_portscan and
spp_portscan2 sigs) and removes any spp_portscan and spp_portscan2 sigs
that are in the time frame configured.  Finally, it checks for new rows
in some of the reference tables (sensor, reference, reference_system,
sig_reference and sig_class) and writes those to the archive database as
well, if it finds any.

If there's enough interest, I'll do the work to make it more generally
available.  I just completed testing today and archived about 105,000
events with it without any problems.

It *should* work with any database because the Perl DBI abstracts the
backend, but caveat emptor.  This is *not* for neophytes.  If you're
knowledgeable and want to do some testing, contact me.  I don't have
time to handhold, but I will answer *knowledgeable* questions.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member



-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: