Snort mailing list archives
Re: [Snort-devel] Snort DB clean up ACID/BASE
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 26 Sep 2012 09:25:44 -0400
Just to clear things up, Snort DOES use the DB. We just don't output directly to the db anymore. We output to unified2. Barnyard2 handles the db part. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Sep 26, 2012, at 2:38 AM, Amm Snort <ammdispose-snort () yahoo com> wrote:
Hello all, Just wanted to share clean up schema which should be added in basic schema. I know snort no longer uses DB but I am still sharing here as many people (like me) still come here looking for solution. Idea is that deletion from other tables should be automatic once the sid/cid is deleted from "event" table. This way you dont have to write big cleanup script. And also you can simply run SQL command manually: For eg: delete from event where timestamp<SOMEDATE; Rest will be taken care by following rule. This is for PostgreSQL, may be similar rule can be written for other DBs. -- this would go in snort schema file create_postgresql create rule event_deleted as on delete to event do ( delete from iphdr where sid=old.sid and cid=old.cid; delete from tcphdr where sid=old.sid and cid=old.cid; delete from udphdr where sid=old.sid and cid=old.cid; delete from icmphdr where sid=old.sid and cid=old.cid; delete from opt where sid=old.sid and cid=old.cid; delete from data where sid=old.sid and cid=old.cid; ); -- this would go in base schema file create_base_tbls_pgsql.sql create rule acid_event_deleted as on delete to event do ( delete from acid_event where sid=old.sid and cid=old.cid; delete from acid_ag_alert where ag_sid=old.sid and ag_cid=old.cid; ); Hope it helps someone. AMM. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort DB clean up ACID/BASE Amm Snort (Sep 25)
- Re: [Snort-devel] Snort DB clean up ACID/BASE Joel Esler (Sep 26)