RE: Slammer Virus ruined my ACID and SNORT

[Paul Schmehl <pauls () utdallas edu>]

On Thu, 2003-03-27 at 13:48, Maynard, Jeff S. wrote:
> Sorry, the correct syntax would be : use snort; then delete from
> acid_event where ip_src="xxxxxxxxx";

How does this help?  You can delete *everything* in the four ACID tables
and the next time you refresh ACID all two million events will return. 
You have to delete the event records from the appropriate snort tables
to actually get rid of the alerts.

After I implemented my archiving script, I added four lines of code
(actually eight, but the first four were simply to properly format the
queries.)  Each night cron runs the script and all events older than 8
days are copied to an archive database and deleted from the snort
database.  The four lines that I added delete *everything* in the four
acid tables.  As soon as that happens, the next time ACID refreshes, it
will reload *everything* that's in the snort database.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users