Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a snort box running with a mysql database. The box was unattended for quite some time and accumulated well over 4 million alerts. I have finished cleaning out the alerts but it appears the data is not being cleaned out of the mysql tables. Below is what I check when I look at the size of some of the tables
-rw-rw---- 1 mysql mysql 129989632 Oct 17 14:04 iphdr.MYI
-rw-rw---- 1 mysql mysql 145777632 Oct 17 14:04 iphdr.MYD
-rw-rw---- 1 mysql mysql 78766080 Oct 17 14:04 icmphdr.MYI
-rw-rw---- 1 mysql mysql 77444282 Oct 17 14:04 icmphdr.MYD
-rw-rw---- 1 mysql mysql 148566016 Oct 17 14:04 event.MYI
-rw-rw---- 1 mysql mysql 95666592 Oct 17 14:04 event.MYD
-rw-rw---- 1 mysql mysql 55756800 Oct 17 14:04 data.MYI
-rw-rw---- 1 mysql mysql 1403590704 Oct 17 14:04 data.MYD
-rw-rw---- 1 mysql mysql 419081752 Oct 17 14:04 acid_event.MYD
-rw-rw---- 1 mysql mysql 1024 Oct 17 14:11 acid_event.MYI
My question is are these talbes supposed to be so large? If not can I clear them without effecting snort or acid? Thanks
The box was unattended for quite some time and accumulated well over 4 million alerts.
Ouch.
No, the tables shouldn't be anywhere near that large. Probably the easiest thing to do is to drop the snort database and then re-build it from the snort and acid scripts. It doesn't affect either snort or acid except that all those 4 million alerts will be gone.
Thanks, I can do that but I was hoping I could delete the data from the tables. The interesting thing is I have deleted all the alerts through ACID, but the data still seems to be in the tables from the size of the tables.
If I remember correctly, ACID sets up some of its own tables. It could be that it has deleted from those but left the Snort tables intact.
Quote:
I was hoping I could delete the data from the tables.
Unless I'm missing something, there is really no functional difference between deleting all the data from the tables and dropping the database and re-building.
Originally posted by zuessh Thanks, I can do that but I was hoping I could delete the data from the tables. The interesting thing is I have deleted all the alerts through ACID, but the data still seems to be in the tables from the size of the tables.
If you have phpMyAdmin you can use it to empty the tables safely.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.