Snort mailing list archives
Re: How can I remove redundant entries from the database?
From: Y M <snort () outlook com>
Date: Tue, 11 Nov 2014 20:40:22 +0000
From: Avery.Rozar () i-techsupport com To: snort-users () lists sourceforge net Date: Mon, 10 Nov 2014 17:37:06 +0000 Subject: [Snort-users] How can I remove redundant entries from the database? I’m using Barnyard2 to send alerts to a PostgreSQL database. As you all know one alert could actually be hundreds, or even thousands of events in the database. Is there a script available that removes redundant alerts from the database based on iphdr.ip_src, iphdr.ip_dst and event.sid, event.signature and leaves the original based on event.cid?
I do not know of any "direct" method. The problem stems (in my opinion) from the fact that referential integrity is not enforced into the database schema, due to performance preference, i.e., referential integrity makes insertions a bit slower while increasing the performance of deletions and vice versa. In this case insertions are more important than deletions. The last time I tried to do that was a while back and I ended up with a pretty long SQL query that did not even complete after 24 hours, eventually I gave up on it and used the archive database to have historical data while the "live" database was fully truncated periodically. YM
Thanks, Avery ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How can I remove redundant entries from the database? Avery Rozar (Nov 10)
- Re: How can I remove redundant entries from the database? Y M (Nov 11)