Snort mailing list archives
Re: ACID
From: "Ahmad Masood Shah" <jahil () 66-uetclub com>
Date: Wed, 13 Aug 2003 17:51:16 +0500
ACIDUse perl script shown below... as Script Name Starting Date Ending Date #acidmysqlclean.pl "2003-04-01 8:00:00" "2003-04-01 9:00:00" #!/usr/bin/perl -w #---------------------------------------- # name: acidmysqlclean.pl # # description: script to cleanup snort/acid db (only tested w/mysql) # # goal: allows you to schedule db cleanup without using php frontend # # usage: acidmysqlclean.pl "2003-04-01 8:00:00" "2003-04-01 9:00:00" # # updated by : Masood Ahmad Shah, mas () fibre net pk #---------------------------------------- use strict; use DBI; my $ds = "dbi:mysql:snort"; my $db_user = "snort"; my $db_pass = "snort"; my $db = DBI->connect($ds, $db_user, $db_pass) or die $DBI::errstr; my ($cid,$sid,$sql,$time_select,$exec_time_select); my ($event,$iphdr,$tcphdr,$udphdr,$icmphdr,$opt,$data,$acid_ag_alert,$acid_even t); my ($exec_event,$exec_iphdr,$exec_tcphdr,$exec_udphdr,$exec_icmphdr,$exec_opt,$ exec_data,$exec_acid_ag_alert,$exec_acid_event); my %timeframe; $timeframe{start} = $ARGV[0]; $timeframe{finish} = $ARGV[1]; chomp $timeframe{start}; chomp $timeframe{finish}; $time_select = "select acid_event.sid,acid_event.cid from acid_event where timestamp >= '$timeframe{start}' and timestamp <= '$timeframe{finish}'"; $exec_time_select = $db->prepare($time_select); $exec_time_select->execute(); $exec_time_select->bind_columns(undef,\$sid,\$cid); while ($exec_time_select->fetch) { $event = "delete from event where sid='$sid' and cid='$cid'"; $iphdr = "delete from iphdr where sid='$sid' and cid='$cid'"; $tcphdr = "delete from tcphdr where sid='$sid' and cid='$cid'"; $udphdr = "delete from udphdr where sid='$sid' and cid='$cid'"; $icmphdr = "delete from icmphdr where sid='$sid' and cid='$cid'"; $opt = "delete from opt where sid='$sid' and cid='$cid'"; $data = "delete from data where sid='$sid' and cid='$cid'"; $acid_ag_alert = "delete from acid_ag_alert where ag_sid='$sid' and ag_cid='$cid'"; $acid_event = "delete from acid_event where sid='$sid' and cid='$cid'"; $exec_event = $db->prepare($event); $exec_iphdr = $db->prepare($iphdr); $exec_tcphdr = $db->prepare($tcphdr); $exec_udphdr = $db->prepare($udphdr); $exec_icmphdr = $db->prepare($icmphdr); $exec_opt = $db->prepare($opt); $exec_data = $db->prepare($data); $exec_acid_ag_alert = $db->prepare($acid_ag_alert); $exec_acid_event = $db->prepare($acid_event); $exec_event->execute(); $exec_iphdr->execute(); $exec_tcphdr->execute(); $exec_udphdr->execute(); $exec_icmphdr->execute(); $exec_opt->execute(); $exec_data->execute(); $exec_acid_ag_alert->execute(); $exec_acid_event->execute(); $exec_event->finish(); $exec_iphdr->finish(); $exec_tcphdr->finish(); $exec_udphdr->finish(); $exec_icmphdr->finish(); $exec_opt->finish(); $exec_data->finish(); $exec_acid_ag_alert->finish(); } $exec_time_select->finish; -- Best Regs, Masood Ahmad Shah System Administrator ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ | * * * * * * * * * * * * * * * * * * * * * * * * | Fibre Net (Pvt) Ltd. Lahore, Pakistan | Tel: +92-42-6677024 | Mobile: +92-300-4277367 | http://www.fibre.net.pk | * * * * * * * * * * * * * * * * * * * * * * * * ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) ----- Original Message ----- From: Semerjian, Ohanes To: 'snort-users () lists sourceforge net' Sent: Wednesday, August 13, 2003 6:07 AM Subject: [Snort-users] ACID Dear list members, I run ACID to display alerts out of the mysql (platform used is sol 8 ). The problem I had is that the record in the database got too much that ACID sit forever and can't display the records. Is any one had a script that could purge the record from the database say between certain dates. I don't want to dump the database and loose all records. Best Regards Ohanes Semerjian PGP kEY 75DF 2980 5663 2DC1 12CD E43E 94D6 7A9A 222D 3449 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users