Re: Delete Alerts on Acid

["Gabriel L. Somlo" <somlo () acns colostate edu>]

Pedro,

In acid_conf.php, there's a setting: $max_script_runtime = 180

This means that, after having worked on your delete operation for 180
seconds, acid simply quits. If the required delete takes longer than
180 seconds, you'll have to do what you already are doing, i.e.,
request the delete several times over, until it's finished.

I can think of two options:

1. Increase the value of $max_script_runtime

2. Use an external script to do the delete. I've attached two scripts
to this email: the first one deletes alerts older than a specified
age. I run this from cron every 8 hours to throw away alerts older
than 4 days. This helps keep the size of the database under control.

The second script allows you to specify the name of a signature, and
then deletes all alerts of that type from the database. I run this
manually to get rid of something after it turns out to be a false
positive and I write a Snort pass-rule for it, and I don't want the
false-positive alerts to be in the way.

Hope this helps.

Cheers,

Gabriel

--
-----------------------------------------------------------------------
Gabriel L. Somlo               Academic Computing & Networking Services
Colorado State University      Tel: (970)297-3707   Cell: (970)567-1017
601 Howes St., Room 612A       Fax: (970)491-1958 
Fort Collins, CO 80523-2028            e-mail: somlo () acns colostate edu
-----------------------------------------------------------------------

> From: "Pedro Tedeschi" <pedro.tedeschi () varig com>
>
>
> Hi,
>
> I=B4m having some troubles when I need to delete more than 200.000 alert =
> from my database using Acid.
> It seens that is a time out problem, but Im not absolutely sure about =
> that.
>
> For now, I cant tune my snort to get less alerts than this... that=B4s =
> about the virus.rules Im using and I have to keep using that for the =
> moment.
>
> So, when I try to clean those alerts using Acid, I can clean about =
> 20.000 alerts, then it times out and I have to start it again, and again =
> untill I reach 200.000.
>
> It takes a day long until the job is finished. Does someone had a =
> similar problem ?? Any ideas what I could do ?
>
> I was wondering if there=B4s any file at Acid(maybe) that I could edit =
> to fix the timeout...
>
> Any ideas will be aprecciate.
>
>
>
> Thanks in advance
>
>
> Cheers,
>
> Pedro Tedeschi

Attachment: purge_database.sh
Description:

Attachment: signature_purge.sh
Description: