Snort mailing list archives
Re: Many Events in new SNORT box
From: sekure <sekure () gmail com>
Date: Thu, 12 Aug 2004 09:29:33 -0400
I hate when that happens... This is why whenever I set up a new sensor, i run it for about a weeks or so logging to text, pcap and unified files, without processing those unified files into the database. (For the purists, i know i can just log to unified and then process those into pcap and alert files, it's just easier for me this way) That gives me a chance to tweak the rulebase without flooding my database with millions of events. At the end of the week I can post-process the unified files into the database if they are fine, or just delete them. Anyways, a few times i had to delete around 500K events from my database, and here is the script i came up with. I am warning you, it's not the best way to do things, since I am deleting each event individually, but I found that this way it doesn't lock the database and I can still log events while this script is running. Basically, every event in the database is identified by a combination of sensor_id (sid) and event_id (cid). See where it says "select sid, cid from YOUR QUERY HERE" in the script? Replace the "YOUR QUERY HERE" with the query that returns the events that you want to delete. MAKE SURE TO TEST IT FIRST to make sure it only returns the events you want deleted. #!/bin/php -q <?php $db_server = 'localhost'; $db_user = 'user'; $db_pwd = 'password'; $db_name = 'database'; $db_link = @mysql_connect($db_server, $db_user, $db_pwd) or exit('Could not connect: ' . mysql_error()); $db = @mysql_select_db($db_name, $db_link) or exit('Could not select database: ' . mysql_error()); $select =mysql_query("select sid, cid from YOUR QUERY HERE") or die(mysql_error()); while($row=mysql_fetch_object($select)) { echo "Deleting sid: ". $row->sid . " cid: " . $row->cid . "\n"; $delete=mysql_query("Delete from data where cid='$row->cid' and sid='$row->sid'") or die(mysql_error()); $dquery=mysql_fetch_row($delete); $delete=mysql_query("Delete from iphdr where cid='$row->cid' and sid='$row->sid'") or die(mysql_error()); $dquery=mysql_fetch_row($delete); $delete=mysql_query("Delete from tcphdr where cid='$row->cid' and sid='$row->sid'") or die(mysql_error()); $dquery=mysql_fetch_row($delete); $delete=mysql_query("Delete from udphdr where cid='$row->cid' and sid='$row->sid'") or die(mysql_error()); $dquery=mysql_fetch_row($delete); $delete=mysql_query("Delete from icmphdr where cid='$row->cid' and sid='$row->sid'") or die(mysql_error()); $dquery=mysql_fetch_row($delete); $delete=mysql_query("Delete from event where cid='$row->cid' and sid='$row->sid'") or die(mysql_error()); $dquery=mysql_fetch_row($delete); } ----- Original Message ----- From: Postiglione, Jon <jon.postiglione () providencehospitals com> Date: Wed, 11 Aug 2004 22:24:35 -0400 Subject: [Snort-users] Many Events in new SNORT box To: snort-users () lists sourceforge net Hello, I just recently configure and new snort box and before I could setup the events that I wanted to keep and the ones I wanted to delete I had over 5 million events (We run a really chatty network). Well, anyway I need to delete all of the events in SNORT but it will not let me because there are too many off them (it times out). I do not know much about MySQL or SNORT, is there an easy way to delete all of the events (besides rebuilding the box)? Thanks from a NewBie! Regards, Jon Postiglione This email and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the email or any of its attachments, please be advised that you have received this email in error and that any use, dissemination, distribution, forwarding, printing, or copying of this email or any attached files is strictly prohibited. If you have received this email in error, please immediately purge it and all attachments and notify the sender by reply email or contact the sender at the number listed. ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Many Events in new SNORT box Postiglione, Jon (Aug 11)
- Re: Many Events in new SNORT box Alexander Zenger (Aug 11)
- Re: Many Events in new SNORT box sekure (Aug 12)
- <Possible follow-ups>
- RE: Many Events in new SNORT box Joshua Berry (Aug 12)