RE: Database tools?

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Marc Quibell [mailto:mquibell () fbfs com] 
> Sent: Tuesday, August 26, 2003 1:27 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Database tools?
>
> Curious, what do y'all use for managing the MYSQL database, 
> beside the http frontend (ACID, DEMARC)? Today I had a few 
> machines who got infected (still) from the MSBLASTER.D, and 
> of course it over loaded my db, cranking 600K alerts in 45 
> mins. And if you use ACID, you know how hard and how long it 
> takes to delete tha many alerts.
Along with some other folks, I wrote a script that allows you to either
drop records or archive records from the Mysql db.  If you want a copy,
just email me.

To deal with the worms, I just started a second instance of snort on the
same interface (renamed everything - ACID, snort, snort.conf, etc.,
etc.) and I just drop that db periodically (sometimes several times a
day.)

> Also, I wonder if there is a wayt to simply have a threshold 
> for alerts, so if I want to only be alerted on the first 10 
> of the same 100000 alerts. Thanks.

I don't think so, but Erik can probably give you a definitive answer.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users