Snort mailing list archives

Re: Snort Archive Database Creation Script

From: Charles Heselton <charles.heselton () gmail com>
Date: Sun, 1 Aug 2004 02:52:38 -0700

On Sat, 31 Jul 2004 08:56:35 -0300, Alejandro Flores
<alejandro.flores () triforsec com br> wrote:

       Hello Charles,

       A mysql database is a directory where each table is a file. In a ugly
way, you can stop your mysql, go to your databases directory
(/var/lib/mysql in redhat/fedora), rename your database (mv snort
snort-archive), start mysql and recreate the original database. Remember
to grant privileges to your 'new' database.
               (I do not recommend you do this!)

       There's a tool called 'mysqlhotcopy' that I guess will fit your needs.
It comes with MySQL, so you can check the documentation with: perldoc
mysqlhotcopy or pointing your browser to:
       http://dev.mysql.com/doc/mysql/en/mysqlhotcopy.html

Regards,
Alejandro Flores

Hi all.  Don't know if this question has been asked before.  I wasn't
able to find too much on google or the list archive.

I would like to be able to archive events picked up by my snort IDSs.
Now, I know that ACID has this functionality.  But I also know that
you have to have the database backend.  Does anyone know if 1) the DB
setup script that comes with the snort package will work for the
"snort-archive" db? or 2) if there's a snort-archive db setup script
that I missed in the package? or 3) is there a 3-rd party script some
where out there in userland?  I'm not the most savvy mysql DBA, so it
would be non-trivial for me to try to set up the db myself.

Any guidance would be appreciated.

Thanks.

Thanks.  I'm not usually one for klugy fixes, and this sounds like
one.  No offense.  I got things working nicely by creating the archive
database, then using the 'create_mysql' script that is shipped with
snort to create the tables I needed.  It worked very well.  Thanks for
the advice though.

-- 
Charlie Heselton
Network Security Engineer


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Archive Database Creation Script Charles Heselton (Jul 30)
- Re: Snort Archive Database Creation Script Paul Schmehl (Jul 30)
- Message not available
  - Re: Snort Archive Database Creation Script Charles Heselton (Jul 31)
- Re: Snort Archive Database Creation Script Alejandro Flores (Jul 31)
  - Re: Snort Archive Database Creation Script Charles Heselton (Aug 01)
- <Possible follow-ups>
- Re: Snort Archive Database Creation Script Charles Heselton (Jul 30)