Snort mailing list archives

Re: manual access to ACID databases

From: Susan Kay Coulter <skc () lanl gov>
Date: Wed, 10 Oct 2001 15:02:51 -0600


Here are 3 scripts.  archive.pl  will archive the entire database (support
tables and all) for a given timeframe.  By 'archive' I mean it dumps the data
to flat files that can then be imported into another database.  load.pl loads
the data from the files created in archive.pl into a database I call snortarc.
It is setup identical to snort -- but is not accessed via ACID.  It is for
historical  (hysterical ?)  reporting purposes.   clear.pl clears the events
for that timeframe from the snort database.  All this could be done in one
script - but I prefer to be able to check things out between runs.

The archive script requires you to create a user in mysql that has FILE
privileges.  After creating a user with FILE (and the other appropriate)
privileges you may need to run the command FLUSH PRIVILEGES to force mysql to
reload it's privileges info.  Have fun !!

Subject: Re: [Snort-users] manual access to ACID databases
To: snort-users () lists sourceforge net
From: Steve.Rudolph () jwt com
Date: Wed, 10 Oct 2001 13:24:38 -0400

Susan,
Would you care to share you Perl script for archiving?
I am new to SQL - so it would take me a couple of weeks to figure out how
to code this, I'm sure.
I already archive through the ACID interface and it is woefully slow.  I
seem to be getting about 10000 alerts a day - SNORT is on the external side
of the FW looking at the Internet traffic, and is seems like once it gets
over 10000 it slows down considerably.

Does anyone have a script to extract all entries for a particular IP
address from a MySQL database?  I would like to stop logging to the
snort.log file too, as this probably adds some load and gets erased every
time I stop and start snort after a config change.  I hate logging the same
thing to 3 places, 2 is bad enough.

Steve Rudolph CCSA, CCSE
J. Walter Thompson
World Wide IT


-- 
Susan Coulter
Network Security Team
CCN-5 Network Engineering
Los Alamos National Laboratory
voice: (505) 667-8425
fax:   (505) 665-7793

Attachment: archive.pl
Description:

Attachment: clear.pl
Description:

Attachment: load.pl
Description:

Current thread:

manual access to ACID databases Jones, Benny (Oct 10)
- <Possible follow-ups>
- RE: manual access to ACID databases Steve Halligan (Oct 10)
- Re: manual access to ACID databases Susan Kay Coulter (Oct 10)
- Re: manual access to ACID databases Steve . Rudolph (Oct 10)
- Re: manual access to ACID databases Susan Kay Coulter (Oct 10)
- Re: manual access to ACID databases Susan Kay Coulter (Oct 10)