Snort mailing list archives
Manually deleting alerts from snort and acid database
From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
Date: Thu, 22 Jul 2004 18:17:22 -0400
I have started playing with snortslinger and I am starting to like the ability to write my on sql queries. I think I am ready for the next step that is deleting alerts that I am not interested in but my supervisor is. For example: Deleting SHELLCODE x86 inc ebx NOOP (1390) alerts where Destination port is 80 Process: Select sig_id from signature where sig_sid= 1390; SET SIG_ID = <result>; Delete event, iphdr, data,tcphdr,udphdr,icmphdr,opt,acid_ag_alert,acid_ag; from event, iphdr, data,tcphdr,udphdr,icmphdr,opt,acid_ag_alert,acid_ag; where event.id=SIG_ID and event.cid= iphdr.cid and event.cid= data.cid and event.cid= tcphdr.cid and event.cid= updphdr.cid; event.cid= icmphdr.cid and event.cid= opt.cid and event.cid= acid_ag_alert.cid and acid_ag_alert.ag_id = acid_ag.ag_id; <pray to the deity of your choice> My assumptions are that if the Signature does not exist in a table no errors will be raised mysql will go to the next logic statement. Question: Has anyone tried this? Based on the queries I have executed so far. This will take for ever depending on the size of my database. Question: Should I analyze my queries or optimize tables to get them to work as efficiently as possible before I attempt this? (should I use myisamchk -a or EXPLAIN, ANALYZE event, ANALYZE iphdr,.... every two(2)days ? or should I (RTFM)buy: High Performance MySQL (Orielly) Optimization, Backups, Replication, Load Balancing & More By Jeremy Zawodny, Derek J. Balling April 2004 ISBN: 0-596-00306-4 294 pages, $39.95 US, $57.95 CA, £28.50 UK ? ) Thank you, Raymond
Current thread:
- Manually deleting alerts from snort and acid database Jacob, Raymond A Jr (Jul 22)