Snort mailing list archives
Re: SQL to purge alerts over 1 month old?
From: "Bachelor, Stephen A CTR USSOCOM HQ" <Stephen.Bachelor.ctr () socom mil>
Date: Mon, 4 Feb 2008 10:31:16 -0500
This is a project I've been attempting myself, with limited success. Best I came up with is a shellscript as follows--but be warned, this seems to leave some stuff behind: #!/bin/bash Mysql -u snort -psnort snort<<EOFMYSQL DELETE data FROM acid_event,data WHERE acid_event.timestamp <= current_timestamp() - INTERVAL 3 DAY && acid_event.cid = data.cid; DELETE event FROM acid_event,event WHERE acid_event.timestamp <= current_timestamp() - INTERVAL 3 DAY && acid_event.cid = event.cid; DELETE icmphdr FROM acid_event,icmphdr WHERE acid_event.timestamp <= current_timestamp() - INTERVAL 3 DAY && acid_event.cid = icmphdr.cid; DELETE iphdr FROM acid_event,iphdr WHERE acid_event.timestamp <= current_timestamp() - INTERVAL 3 DAY && acid_event.cid = iphdr.cid; DELETE opt FROM acid_event,opt WHERE acid_event.timestamp <= current_timestamp() - INTERVAL 3 DAY && acid_event.cid = opt.cid; DELETE tcphdr FROM Acid_event,tcphdr WHERE acid_event.timestamp <= current_timestamp() - INTERVAL 3 DAY && acid_event.cid = tcphdr.cid; DELETE udphdr FROM acid_event,udphdr WHERE acid_event.timestamp <= current_timestamp() - INTERVAL 3 DAY && acid_event.cid = udphdr.cid; DELETE acid_event FROM acid_event WHERE acid_event.timestamp <= current_timestamp() - INTERVAL 3 DAY; OPTIMIZE TABLE acid_event,data,event,icmphdr,iphdr,opt,tcphdr,udphdr; -----Original Message----- From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of Michael W Cocke Sent: Monday, February 04, 2008 9:14 AM To: snort-users () lists sourceforge net Subject: [Snort-users] SQL to purge alerts over 1 month old? The subject line pretty much says it - I'm medium fair at SQL, but I'm not seeing this; Anyone know the syntax to flush alerts older than one month from the alerts DB (MySQL if it matters)? Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------------------------ - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SQL to purge alerts over 1 month old? Michael W Cocke (Feb 04)
- Re: SQL to purge alerts over 1 month old? Bachelor, Stephen A CTR USSOCOM HQ (Feb 04)
- Re: SQL to purge alerts over 1 month old? Paul Schmehl (Feb 04)
- Re: SQL to purge alerts over 1 month old? Michael W Cocke (Feb 04)
- Re: SQL to purge alerts over 1 month old? Zakai Kinan (Feb 19)
- Re: SQL to purge alerts over 1 month old? Paul Schmehl (Feb 19)
- Re: SQL to purge alerts over 1 month old? Terry Burton (Feb 26)