Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ACID

From: "Ahmad Masood Shah" <jahil () 66-uetclub com>
Date: Wed, 13 Aug 2003 17:51:16 +0500
ACIDUse perl script shown below... as

   Script Name        Starting Date             Ending Date
#acidmysqlclean.pl "2003-04-01 8:00:00" "2003-04-01 9:00:00"


#!/usr/bin/perl -w
#----------------------------------------
# name: acidmysqlclean.pl
#
# description: script to cleanup snort/acid db (only tested w/mysql)
#
# goal: allows you to schedule db cleanup without using php frontend
#
# usage: acidmysqlclean.pl "2003-04-01 8:00:00" "2003-04-01 9:00:00"
#
# updated by : Masood Ahmad Shah, mas () fibre net pk
#----------------------------------------

use strict;
use DBI;

my $ds = "dbi:mysql:snort";
my $db_user = "snort";
my $db_pass = "snort";
my $db = DBI->connect($ds, $db_user, $db_pass) or die $DBI::errstr;

my ($cid,$sid,$sql,$time_select,$exec_time_select);
my
($event,$iphdr,$tcphdr,$udphdr,$icmphdr,$opt,$data,$acid_ag_alert,$acid_even
t);
my
($exec_event,$exec_iphdr,$exec_tcphdr,$exec_udphdr,$exec_icmphdr,$exec_opt,$
exec_data,$exec_acid_ag_alert,$exec_acid_event);
my %timeframe;

$timeframe{start} = $ARGV[0];
$timeframe{finish} = $ARGV[1];
chomp $timeframe{start};
chomp $timeframe{finish};

$time_select = "select acid_event.sid,acid_event.cid from acid_event where
timestamp >= '$timeframe{start}' and timestamp <= '$timeframe{finish}'";
$exec_time_select = $db->prepare($time_select);

$exec_time_select->execute();
$exec_time_select->bind_columns(undef,\$sid,\$cid);

while ($exec_time_select->fetch) {

 $event = "delete from event where sid='$sid' and cid='$cid'";
$iphdr = "delete from iphdr where sid='$sid' and cid='$cid'";
 $tcphdr = "delete from tcphdr where sid='$sid' and cid='$cid'";
 $udphdr = "delete from udphdr where sid='$sid' and cid='$cid'";
 $icmphdr = "delete from icmphdr where sid='$sid' and cid='$cid'";
 $opt = "delete from opt where sid='$sid' and cid='$cid'";
 $data = "delete from data where sid='$sid' and cid='$cid'";
 $acid_ag_alert = "delete from acid_ag_alert where ag_sid='$sid' and
ag_cid='$cid'";
 $acid_event = "delete from acid_event where sid='$sid' and cid='$cid'";

 $exec_event = $db->prepare($event);
 $exec_iphdr = $db->prepare($iphdr);
 $exec_tcphdr = $db->prepare($tcphdr);
 $exec_udphdr = $db->prepare($udphdr);
 $exec_icmphdr = $db->prepare($icmphdr);
 $exec_opt = $db->prepare($opt);
 $exec_data = $db->prepare($data);
 $exec_acid_ag_alert = $db->prepare($acid_ag_alert);
 $exec_acid_event = $db->prepare($acid_event);

 $exec_event->execute();
 $exec_iphdr->execute();
 $exec_tcphdr->execute();
 $exec_udphdr->execute();
 $exec_icmphdr->execute();
 $exec_opt->execute();
 $exec_data->execute();
 $exec_acid_ag_alert->execute();
 $exec_acid_event->execute();

 $exec_event->finish();
 $exec_iphdr->finish();
 $exec_tcphdr->finish();
 $exec_udphdr->finish();
 $exec_icmphdr->finish();
 $exec_opt->finish();
 $exec_data->finish();
 $exec_acid_ag_alert->finish();
}

$exec_time_select->finish;




-- 

Best Regs,
Masood Ahmad Shah
System Administrator

^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
|   * * * * * * * * * * * * * * * * * * * * * * * *
|   Fibre Net (Pvt) Ltd. Lahore, Pakistan
|   Tel: +92-42-6677024
|   Mobile: +92-300-4277367
|   http://www.fibre.net.pk
|   * * * * * * * * * * * * * * * * * * * * * * * *
^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

----- Original Message ----- 
From: Semerjian, Ohanes
To: 'snort-users () lists sourceforge net'
Sent: Wednesday, August 13, 2003 6:07 AM
Subject: [Snort-users] ACID


Dear list members,


I run ACID to display alerts out of the mysql (platform used is sol 8 ). The
problem I had is that the record in the database got too much that ACID sit
forever and can't display the records. Is any one had a script that could
purge the record from the database say between certain dates. I don't want
to dump the database and loose all records.






Best Regards
Ohanes Semerjian
PGP kEY
75DF 2980 5663 2DC1 12CD  E43E 94D6 7A9A 222D 3449



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: