RE: Slammer Virus ruined my ACID and SNORT

[Jim Clews <jclews () climax co uk>]

My feelings would be to give up with what you've got - dump the snort/acid
SQL database, clear your snort logs, re-create the tables by running the SQL
queries for snort and then start up acid again.
 
I recommend doing this regularly, especially if you are tuning your rules
sets and end up with huge amounts of alerts/false positives - once the db
gets big acid's response time get longer and longer
 
This is my first post to the list, although I have been using snort/acid for
a couple of years now, so please feel free to correct me if there are any
errors above..

-----Original Message-----
From: Semerjian, Ohanes [mailto:Semerjian.Ohanes () wcom com au]
Sent: 27 March 2003 23:42
To: 'Andrade, Leonardo F. Buonsanti de (IT - Brasil)';
snort-users () lists sourceforge net
Subject: RE: [Snort-users] Slammer Virus ruined my ACID and SNORT


You could use Mysql query to do so but it is not that easy. Once you delete
the alerts you'll still find that ACID showing (although the actual records
are been deleted from Mysql database) the large number of alerts and that is
coz ACID display the alert from its tables and not directly from Mysql
database so you have to delete ACID tables also.
 

Best Regards 

Ohanes Semerjian 
Security Engineer, AsiaPac 
-----Original Message-----
From: Andrade, Leonardo F. Buonsanti de (IT - Brasil)
[mailto:leoandrade () deloitte com br]
Sent: Friday, 28 March 2003 6:04 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Slammer Virus ruined my ACID and SNORT



Hi all,

 

This week one of the computers here got that slammer virus ( the one that
attacks SQL servers )...which made my ACID and SNORT go totally nuts and
generate more 300000 alerts...now when I try to load my ACID site, it takes
minutes!!! and I just can't delete all of the alerts at once...

Anyone has a good idea of how I can delete all these alerts ?

 

Thanks in advance,

 

Leonardo