Snort mailing list archives

Re: BASE/AAnval MySQL dbase management

From: Paul Schmehl <pauls () utdallas edu>
Date: Sat, 22 Apr 2006 08:25:16 -0500

--On April 20, 2006 9:59:19 AM -0400 John Hally <JHally () epnet com> wrote:


I'm curious as to how people are managing the mysql backend data that
snort reports.  I've been mulling over adding syslog entries to the mix,
but with the amount of denies I see at the borders/firewalls, the
database is going to get unwieldy pretty fast.  Not being a DBA but
knowing enough to get things up and running, is there any 'canned'
scripts out there to help me out? I'm thinking along the lines of
possibly archiving daily/weekly, having the dbase drop entries older than
X, or something to that effect.

I have written a perl script that archives the db based upon your choice oflength of time (I use 7 days.) I just completed a php script that allowsyou to delete all the alerts from a single IP. I'll be releasing it in thenear future, after I've done some cleanup and documented it better.

You can find the archive script in the downloads section athttp://www.ntsug.org/.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/

Attachment: _bin
Description:

Current thread:

BASE/AAnval MySQL dbase management John Hally (Apr 20)
- Re: BASE/AAnval MySQL dbase management Paul Schmehl (Apr 22)
- <Possible follow-ups>
- RE: BASE/AAnval MySQL dbase management Irons, Clarence (Apr 20)
- RE: BASE/AAnval MySQL dbase management Administration (Apr 22)