RE: For those of you

["John Creegan" <jcreegan () questarweb com>]

And let's not forget to optimize the tables once they've been cleaned up! :-)

> > > "Esler, Joel - Contractor" <joel.esler () rcert-s army mil> 07/27/04 10:23AM >>>
I totally agree, however, if someone feels like working on the sid/cid
joins...

J

-----Original Message-----
From: sekure [mailto:sekure () gmail com] 
Sent: Tuesday, July 27, 2004 11:20 AM
To: Esler, Joel - Contractor
Cc: snort-users () lists sourceforge net 
Subject: Re: [Snort-users] For those of you


Joel,

It's true that your script will trim the list of events returned by ACID
and other GUIs, but it will not do much in terms of speeding up the
searches or shrinking the database size.  You are just removing entries
from the event table, and as a result leaving a lot of orphaned events
in iphdr, tcphdr, udphdr, icmphdr, and data tables. 
And that's just in the default snort database.  I am sure there are
equivalents in the tables that ACID creates.  Whenever ACID does a join
with one of those tables, it'll still have to search through all those
cids, even though they don't have an entry in the event table.

On Tue, 27 Jul 2004 10:48:46 -0400, Esler, Joel - Contractor
<joel.esler () rcert-s army mil> wrote:
> Someone emailed me today offline in response to the mysql I had, well,

> instead of messing with it I wrote a php script (yes) that cleans out 
> whatever database you have whenever you want it to do it.  (by 
> changing the interval).
>
> It's not rocket science, but I figure I'll put it out there for people

> that don't want to reinvent the wheel.  Run it once a day through your

> crontab.
>
> -------------begin cut----------------
> #!/bin/php -q
> <?php
> //define mysql connection settings
> define('HOST', 'localhost');
> define('USER', 'user');
> define('PASS', 'password');
> define('DB', 'dbname');
>
> mysql_connect(HOST, USER, PASS)
> or die("Couldnt connect to database");
> mysql_select_db(DB)
> or die("Couldnt select database");
>
> //This delete query will purge all logs that are older than 30 days 
> $delete = mysql_query("DELETE FROM event WHERE timestamp <
> CURRENT_DATE() - INTERVAL 30 DAY")
> or die(mysql_error());
> $delete = mysql_query("DELETE FROM acid_event WHERE timestamp <
> CURRENT_DATE() - INTERVAL 30 DAY;")
> or die(mysql_error());
> ?>
> ----------end cut-----------------
>
> Okay, well how about all those tcpdump binaries I have that I want to 
> keep but don't want taking up a bunch of space? This is REALLY not 
> rocket science...
>
> -----------begin cut-------------
>
> #!/bin/sh
>
> find /path/to/your/snort/logs/* -mtime 1 -exec gzip {} \;
>
> #If you want them to just be deleted after one year too...
>
> find /path/to/your/snort/logs/* -mtime 365 -exec rm -rf {} \;
>
> --------------end cut--------------
>
> Execute that script once an hour.  Like I said, it's not brain 
> surgery, just thought these command could be useful to everyone 
> besides the guy that emailed me.
>
> J
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today. 
> http://ads.osdn.com/?ad_idG21&alloc_id040&op=click 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


This message (including any attachments) contains confidential
information intended for a specific individual and purpose,
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any
disclosure,copying, or distribution of this message, or the taking
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users