LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-17-2004, 01:29 PM   #1
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Rep: Reputation: 30
snort with mysql database


I have a snort box running with a mysql database. The box was unattended for quite some time and accumulated well over 4 million alerts. I have finished cleaning out the alerts but it appears the data is not being cleaned out of the mysql tables. Below is what I check when I look at the size of some of the tables


-rw-rw---- 1 mysql mysql 129989632 Oct 17 14:04 iphdr.MYI
-rw-rw---- 1 mysql mysql 145777632 Oct 17 14:04 iphdr.MYD
-rw-rw---- 1 mysql mysql 78766080 Oct 17 14:04 icmphdr.MYI
-rw-rw---- 1 mysql mysql 77444282 Oct 17 14:04 icmphdr.MYD
-rw-rw---- 1 mysql mysql 148566016 Oct 17 14:04 event.MYI
-rw-rw---- 1 mysql mysql 95666592 Oct 17 14:04 event.MYD
-rw-rw---- 1 mysql mysql 55756800 Oct 17 14:04 data.MYI
-rw-rw---- 1 mysql mysql 1403590704 Oct 17 14:04 data.MYD
-rw-rw---- 1 mysql mysql 419081752 Oct 17 14:04 acid_event.MYD
-rw-rw---- 1 mysql mysql 1024 Oct 17 14:11 acid_event.MYI

My question is are these talbes supposed to be so large? If not can I clear them without effecting snort or acid? Thanks
 
Old 10-17-2004, 02:32 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
Quote:
The box was unattended for quite some time and accumulated well over 4 million alerts.
Ouch.


No, the tables shouldn't be anywhere near that large. Probably the easiest thing to do is to drop the snort database and then re-build it from the snort and acid scripts. It doesn't affect either snort or acid except that all those 4 million alerts will be gone.
 
Old 10-17-2004, 06:42 PM   #3
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Original Poster
Rep: Reputation: 30
Thanks, I can do that but I was hoping I could delete the data from the tables. The interesting thing is I have deleted all the alerts through ACID, but the data still seems to be in the tables from the size of the tables.
 
Old 10-17-2004, 09:20 PM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
If I remember correctly, ACID sets up some of its own tables. It could be that it has deleted from those but left the Snort tables intact.

Quote:
I was hoping I could delete the data from the tables.
Unless I'm missing something, there is really no functional difference between deleting all the data from the tables and dropping the database and re-building.
 
Old 10-18-2004, 12:36 AM   #5
m_shroom
Member
 
Registered: Oct 2004
Location: Queen Charlotte B. C. Canada
Distribution: openSUSE 11.1
Posts: 42

Rep: Reputation: 15
Quote:
Originally posted by zuessh
Thanks, I can do that but I was hoping I could delete the data from the tables. The interesting thing is I have deleted all the alerts through ACID, but the data still seems to be in the tables from the size of the tables.
If you have phpMyAdmin you can use it to empty the tables safely.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort and mysql lord-fu *BSD 1 11-20-2005 09:11 PM
Snort database: Closing connection to database "" Homer Glemkin Linux - Security 2 07-14-2005 06:58 PM
snort logging to database ilnli Linux - General 14 04-08-2005 12:55 PM
Snort Database Help roastmules Linux - Security 2 02-24-2005 01:05 PM
Writing an app that uses a mysql database without installing mysql server? QtCoder Programming 4 08-09-2004 02:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration