Snort mailing list archives
RE: Finding alerts taking up the most database space
From: "McCash, John" <John.McCash () andrew com>
Date: Fri, 10 Sep 2004 14:32:06 -0500
Sekure, No. I'm already doing that (through ACID). Unfortunately, the alerts that are showing up in the greatest numbers appear to be only about 20% of my problem. The real issue here appears to be that variable amounts of packet capture are stored for many events, and there's no index for the size of the packet capture record for a given event (or so I believe...). Thanks anyway John -----Original Message----- From: sekure [mailto:sekure () gmail com] Sent: Friday, September 10, 2004 11:41 AM To: McCash, John Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Finding alerts taking up the most database space Well you can do something like: select count(signature) as num, signature from event group by signature order by num desc limit 10; This should give you the top 10 alerts in the event table. Keep in mind though, that those may not necessarily be the ones that take up the most disk space, since they may have a completely empty "data" record associated with them. Then you can look up the signature in the signature table. Is this what you were looking for? ----- Original Message ----- From: McCash, John <john.mccash () andrew com> Date: Fri, 10 Sep 2004 11:20:47 -0500 Subject: [Snort-users] Finding alerts taking up the most database space To: snort-users () lists sourceforge net Hi, I currently am running snort and acid with mysql, and my database size is getting up around 6G. The data table, data.MYD alone is about 3.3G. As you may imagine, my db performance is lousy. Does anyone have an easy way of determining which alerts are taking up the greatest amount of db space, so that I can selectively prune those entries? Thanks in advance John McCash ------------------------------------------------------------------------ ------------------------ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any unauthorized use of this email is prohibited. ------------------------------------------------------------------------ ------------------------ [mf2] ------------------------------------------------------------------------------------------------ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any unauthorized use of this email is prohibited. ------------------------------------------------------------------------------------------------ [mf2] ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Finding alerts taking up the most database space McCash, John (Sep 10)
- Re: Finding alerts taking up the most database space sekure (Sep 10)
- <Possible follow-ups>
- RE: Finding alerts taking up the most database space McCash, John (Sep 10)
- RE: Finding alerts taking up the most database space M Shirk (Sep 13)
- RE: Finding alerts taking up the most database space McCash, John (Sep 22)