Snort mailing list archives

Re: Snorting ACID and DB maintenance

From: Robby <rdesmond () els ucsb edu>
Date: Fri, 23 Aug 2002 16:08:13 -0700

At 09:21 AM 8/23/02 -0600, you wrote:

Hey Now,
I have ACID installed and lo and behold, less than a day and 1000 events
in both 'event' and 'acid_event' tables.

Plain vanilla IDS installs are not to be used. I'm new at this too so Ifreaked, then realized that an untuned ruleset is my own worst enemy. Readsome papers. Take some advice. Tune your rules. Then consider aproduction use.

By my modest predictions, this will be a !#@$&! of data toot sweet.


Yes. Yes it will.

Other than going into ACID and manually selecting false positives and
deleting them, are there other thoughts on how to keep from choking on
the DB size?

1- Don't underestimate the power of deleting false positives while you'restill tuning the rules.


2- Make sure the disk-slice/partition you are mounting /var/db on is large.

Not sure if this an ACID question or a MYSQL question. Probably more
MYSQL, although I know even less about MYSQL than I do about ACID after
a whole day of experimentation.

Such as,

1) can I limit the size of the MYSQL database?


Don't know myself. Probably.

2) Can I do something as bone simple as 'delete from (event, acid_event)
where timestamp < "some timestamp";'?

Yes. Yes you can. That is a valid SQL query, but you may want to check outthe database schema documentation on snort.org before you go deletingrecords to make sure you are getting what you want.

Any ideas or good general practices out there?

I discovered early on that in my FBSD 4.4 installation, I couldn't rely onthe default slice values. They assume that /usr is going to be large(since it would on a system where you might install a lot of programs). Ihad to do some calculations and experimentation on the minimum /usr size Icould get away with for installing only snort and mysql, while leaving therest of the drive for /var. I've managed to handle quite a number ofalerts on a 3-gig drive.

-Robby


Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snorting ACID and DB maintenance Randy Bey (Aug 23)
- Re: Snorting ACID and DB maintenance Jim Burwell (Aug 23)
- Re: Snorting ACID and DB maintenance Robby (Aug 26)
- Re: Snorting ACID and DB maintenance Ian Macdonald (Aug 27)