I have a snort box running with a mysql database. The box was unattended for quite some time and accumulated well over 4 million alerts. I have finished cleaning out the alerts but it appears the data is not being cleaned out of the mysql tables. Below is what I check when I look at the size of some of the tables


-rw-rw---- 1 mysql mysql 129989632 Oct 17 14:04 iphdr.MYI
-rw-rw---- 1 mysql mysql 145777632 Oct 17 14:04 iphdr.MYD
-rw-rw---- 1 mysql mysql 78766080 Oct 17 14:04 icmphdr.MYI
-rw-rw---- 1 mysql mysql 77444282 Oct 17 14:04 icmphdr.MYD
-rw-rw---- 1 mysql mysql 148566016 Oct 17 14:04 event.MYI
-rw-rw---- 1 mysql mysql 95666592 Oct 17 14:04 event.MYD
-rw-rw---- 1 mysql mysql 55756800 Oct 17 14:04 data.MYI
-rw-rw---- 1 mysql mysql 1403590704 Oct 17 14:04 data.MYD
-rw-rw---- 1 mysql mysql 419081752 Oct 17 14:04 acid_event.MYD
-rw-rw---- 1 mysql mysql 1024 Oct 17 14:11 acid_event.MYI

My question is are these talbes supposed to be so large? If not can I clear them without effecting snort or acid? Thanks

Ouch.


No, the tables shouldn't be anywhere near that large. Probably the easiest thing to do is to drop the snort database and then re-build it from the snort and acid scripts. It doesn't affect either snort or acid except that all those 4 million alerts will be gone.

Thanks, I can do that but I was hoping I could delete the data from the tables. The interesting thing is I have deleted all the alerts through ACID, but the data still seems to be in the tables from the size of the tables.

If I remember correctly, ACID sets up some of its own tables. It could be that it has deleted from those but left the Snort tables intact.

Unless I'm missing something, there is really no functional difference between deleting all the data from the tables and dropping the database and re-building.

If you have phpMyAdmin you can use it to empty the tables safely.