RE: [Snort-users] clearing logs in acid console

permalink · #1 (**permalink**) 09-22-2004

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01C4A086.F4B71EC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I'm using the following script to delete events from snort database.
Use it at your own risk.=20
Before use it do a backup of the database with: mysqldump -opt
snort_database > /backup/snort_backup

Hope this helps.

#!/bin/bash
#
# Script to delete old data from the snort sql database.

# NOTE! Before you can use this script, you must change the defines
# in the following lines to match those at your company.
#
# A few constants needed. User with R/W privileges to snort database.
MYUSER=3D"database_user"
MYPASS=3D"password"
SNORTDB=3D"snort_database"
# Now define the public IP address ranges used by your company.
# If you have more than one discontiguous range, you'll need to edit
# the SQL generation code lower down in this script. It's not hard to =
do.
IPLOW=3D"192.168.0.0"
IPHIGH=3D"192.168.0.254"

function usage() {
cat <<EOF >&2
Usage: $0 [ -<options> ] hours

Deletes old data in the snort database, keeping entries received within
the past <hours>. You can limit the data deleted by signature or ip,
using the specified options.

Options:
-b Debug SQL - Prints executed SQL to stderr
-d Use destination IP with -r or -i; default is =
source.
-i "ip" Have the given source IP exclusive of -r.
-n Don't actually do anything; just look up data.
-o Optimize the tables after deleting.
-r Remote source IPs only (incoming, not outgoing).
-s "x" Signature must be like '%x%'
EOF
}

if TEMP=3D`getopt -o bdi:nors: -n "$0" -- "$@"`; [ $? -ne 0 ]; then
usage; exit 1
fi

eval set -- "$TEMP"

LIKE=3D""; REMOTES=3D""; IP=3D""; SRCDST=3D"ip_src"; NOEXEC=3D""; =
DBG=3D""; OPTIM=3D""
while true ; do
if [ "$1" =3D "-b" ]; then DBG=3D1; shift
elif [ "$1" =3D "-d" ]; then SRCDST=3D"ip_dst"; shift
elif [ "$1" =3D "-i" ]; then IP=3D"$2"; shift 2
elif [ "$1" =3D "-n" ]; then NOEXEC=3D1; shift
elif [ "$1" =3D "-o" ]; then OPTIM=3D1; shift
elif [ "$1" =3D "-r" ]; then REMOTES=3D1; shift
elif [ "$1" =3D "-s" ]; then LIKE=3D"$2"; shift 2
elif [ "$1" =3D "--" ]; then shift; break
else echo "Internal getopt error?" >&2; exit 2
fi
done
if [ $# -ne 1 ]; then
usage; exit 1
elif [ -n "$IP" -a -n "$REMOTES" ]; then
echo -e "\n\nCannot specify both -i and -r.\n" >&2
usage; exit 1
elif HOURS=3D"$1"; ! echo "$HOURS" | grep -q '^[0-9]\+$'; then
echo -e "\n\nThe <Hours> argument must be a non-negative integer.\n" =
>&2
usage; exit 1
elif [ -z "$IP" -a -z "$REMOTES" -a -z "$LIKE" -a $(($HOURS+0)) =3D 0 ]; =
then
echo -e "\n\nMust specify at least one of either -i, -r or -s" >&2
echo -e "when the <hours> argument is zero (else delete entire =
DB!).\n"
>&2
usage; exit 1
fi

function makequery () {
local wa=3D"WHERE"
echo -n "SELECT event.sid, event.cid FROM "
if [ -n "$IP$REMOTES" ]; then echo -n "iphdr, "; fi
if [ -n "$LIKE" ]
then echo -n "signature, event"
else echo -n "event"
fi
if [ $HOURS -gt 0 ]; then
echo -en "\n $wa event.timestamp < NOW() - INTERVAL '$HOURS' =
HOUR"
wa=3D"AND"
fi
if [ -n "$LIKE" ]; then
if ! echo "$LIKE" | grep -q '%'; then
LIKE=3D"%${LIKE}%"
fi
echo -e "\n $wa signature.sig_name LIKE '$LIKE'"
echo -n " AND signature.sig_id =3D event.signature"; =
wa=3D"AND"
fi
if [ -n "$IP" ]; then
echo -e "\n $wa iphdr.$SRCDST =3D INET_ATON('$IP')"
elif [ -n "$REMOTES" ]; then
cat <<EOF

$wa iphdr.$SRCDST NOT BETWEEN INET_ATON('$IPLOW')
AND INET_ATON('$IPHIGH')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('10.0.0.0')
AND INET_ATON('10.255.255.255')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('192.168.0.0')
AND INET_ATON('192.168.255.255')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('172.0.0.0')
AND INET_ATON('172.255.255.255')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('65.88.87.64')
AND INET_ATON('65.88.87.127')
EOF
fi
if [ -n "$IP$REMOTES" ]
then echo " AND iphdr.sid =3D event.sid AND iphdr.cid =3D =
event.cid;"
else echo ";"
fi
}

# This takes the output of makequery, pipes it through mysql to get the
# list of rows to delete, generates the delete statements for each =
table,
# then optionally adds optimize commands.
function makesql () {
local rhs table
rhs=3D's%^$[0-9]\+$[[:space:]]\+$[0-9]\+$$%\
'
for table in data event icmphdr tcphdr udphdr iphdr opt; do
rhs=3D"${rhs}DELETE FROM $table WHERE sid=3D'\1' AND cid=3D'\2';\\
"
done
rhs=3D"$rhs%"
makequery | mysql --user=3D"$MYUSER" --password=3D"$MYPASS" -s -B =
"$SNORTDB"
|\
sed -e "$rhs"
if [ -n "$OPTIM" ]; then
# Order tables by approximate size.
for table in icmphdr udphdr opt event tcphdr iphdr data; do
echo "OPTIMIZE TABLE $table;"
done
fi
}

################################################## #######################=

# =
#
# Run the query and output the results... =
#
# =
#
################################################## #######################=

if [ -n "$DBG" ]; then
echo -e "\nSQL Query:\n" >&2; makequery >&2; echo >&2
fi

if [ -n "$NOEXEC" ]
then makesql
else makesql | mysql --user=3D"$MYUSER" --password=3D"$MYPASS" =
"$SNORTDB"=20

Thank you,
___________________________
Catalin A. Ghercoias
WEB/Network Security Administrator=20
Office Phone: +(518) 452-1242 Ext.7435
Fax: (518) 452-4768

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Jose Maria
Lopez
Sent: Tuesday, September 21, 2004 8:05 AM
To: snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] clearing logs in acid console

El vie, 17 de 09 de 2004 a las 20:37, support escribi=F3:
> Hi jose
>=20
> Thanks for your help
>=20
> But I am facing problem if snort is that the /usr partition is going=20
> 100% utilized becoz of which acid console is not showing any new=20
> alerts . can u tell me how and which files to delete from this=20
> partition in order to work out.
>=20
> Regards,
> raj

You could delete the whole snort directory under the mysql directory, =
but
then you will have to create the tables for snort and acid from new. =
Check
this directory and see if you can delete it safely and create the tables =
for
acid from new.

Maybe someone can give you better advice.

--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos =
http://www.bgsec.com
ESPA=D1A

The only people for me are the mad ones -- the ones who are mad to live, =
mad
to talk, mad to be saved, desirous of everything at the same time, the =
ones
who never yawn or say a commonplace thing, but burn, burn, burn like
fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 =
Project
Admins to receive an Apple iPod Mini FREE for your judgement on who =
ports
your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listort-users

------=_NextPart_000_0000_01C4A086.F4B71EC0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCS qGSIb3DQEHAQAAoIILoTCCBNEw
ggO5oAMCAQICEF0RwlS/WpmpShXtwA/IalwwDQYJKoZIhvcNAQEFBQAwUjETMBEGCgmSJomT8ixk
ARkWA2NvbTEUMBIGCgmSJomT8ixkARkWBHR3ZWMxJTAjBgNVBA MTHFRyYW5zIFdvcmxkIEVudGVy
dGFpbm1lbnQgQ0EwHhcNMDQwOTAxMTgyMTM5WhcNMDkwOTAxMT gyODI3WjBSMRMwEQYKCZImiZPy
LGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEdHdlYzElMCMGA1 UEAxMcVHJhbnMgV29ybGQgRW50
ZXJ0YWlubWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPAD CCAQoCggEBAMFsRjpqI4VyZKV4
8JHFfuPxglD0JeF5ZgDfcQR7Y7NU6PPEAeh6lEnKBkoZVSUF+P wHsE2FiBSLOoVKm8vRWCsYaB/M
dcTg3dNkgBFb6Ts9/8wLWt5O1VnPp41V/A6D5hj/SPJTqwIFfWTaie92d+ihpJT+4zkimIHJON0I
eCrr35LwYj6I8F7lK5awsoPUX2iKiiH24ftWR33YrFfauMk5Hl f8r2uRr2p8cKMS75XBMT3Lb1PP
aeLlRF6iEhw3PqdjEFSTxeyQgqrz4Fq3i0b16FOfcYDvSQiucr hmqTvgr5sShFIjsDh4wJepR3fk
h1gd219veSqrasmWfAdQeGkCAwEAAaOCAaEwggGdMBMGCSsGAQ QBgjcUAgQGHgQAQwBBMAsGA1Ud
DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQVemhTUs9hPSXsaTegyW3TGSGifTCC
ATUGA1UdHwSCASwwggEoMIIBJKCCASCgggEchoHKbGRhcDovLy 9DTj1UcmFucyUyMFdvcmxkJTIw
RW50ZXJ0YWlubWVudCUyMENBLENOPXBsYXlzdGF0aW9uLENOPU NEUCxDTj1QdWJsaWMlMjBLZXkl
MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW 9uLERDPXR3ZWMsREM9Y29tP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludIZNaHR0cDovL3BsYXlzdGF0aW9uLnR3ZWMuY29tL0Nlcn RFbnJvbGwvVHJhbnMlMjBXb3Js
ZCUyMEVudGVydGFpbm1lbnQlMjBDQS5jcmwwEAYJKwYBBAGCNx UBBAMCAQAwDQYJKoZIhvcNAQEF
BQADggEBAD3aDDnEo0GbBXXk7/0LuvIq1jf6o0JSx0xK3jz/M5pgXbgTglwI+kHwKDMvN1gfHquq
sZ8J8ORJ62KaIrPcZFYuDd8lkcuRCjWAq9388hy7z4ZZRxlsk/WoVNCrQcTHb++2zaADbtw/DWfe
hUI0RSUhNIoGqQAt66WElTFPXarbHsUvJFp38ikfMo3ebPvVOx VHzEa5Okkzaivk92ngX2V1WOgP
s/nV2YlP53fCnYGiWcdaiBorMDjLhgLBTvh88JS4o8+Am1meRe0j ER0+71wOOokeAlYqPVTDUTqX
LBACSz3A96K1c+SgFBLlsQaV5KvFXO5CNEvsuRp4Zef53VAwgg bIMIIFsKADAgECAgoXRibQAAAA
AAFyMA0GCSqGSIb3DQEBBQUAMFIxEzARBgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZ
FgR0d2VjMSUwIwYDVQQDExxUcmFucyBXb3JsZCBFbnRlcnRhaW 5tZW50IENBMB4XDTA0MDkwMzEx
NTIwMVoXDTA1MDkwMzExNTIwMVowgYIxEzARBgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/Is
ZAEZFgR0d2VjMQ4wDAYDVQQDEwVVc2VyczEhMB8GA1UEAxMYR2 hlcmNvaWFzLCBDYXRhbGluIChB
RE0pMSIwIAYJKoZIhvcNAQkBFhNjZ2hlcmNvaWFzQHR3ZWMuY2 9tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCzErJ4WOUdJxnhTY85eAnCWFO3sUB9B/J6fjN7VWjt3Y5whVfq1B8O4T0ktxqL
pZeuZa/Mx1m+wrJfpJHV4il1fU31VYEHbSD5a3NqqhT9iZPFiG62s6R2f hY9K5TuOGk4fXdAOwXj
+EXyIaWfPRR1pzmDipXBdjAxucEYs1oGDQIDAQABo4ID8TCCA+ 0wCwYDVR0PBAQDAgWgMDYGCSqG
SIb3DQEJDwQpMCcwDQYIKoZIhvcNAwICATgwDQYIKoZIhvcNAw QCATgwBwYFKw4DAgcwHQYDVR0O
BBYEFJMWHsfo99JXX6cxHfr/yp8a3HiiMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCIa5qk CE
mXOCvZUIgeTcYoPLlXBwgsK5U4KGsCsCAWQCAQIwHwYDVR0jBB gwFoAUFXpoU1LPYT0l7Gk3oMlt
0xkhon0wggE1BgNVHR8EggEsMIIBKDCCASSgggEgoIIBHIaBym xkYXA6Ly8vQ049VHJhbnMlMjBX
b3JsZCUyMEVudGVydGFpbm1lbnQlMjBDQSxDTj1wbGF5c3RhdG lvbixDTj1DRFAsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZm lndXJhdGlvbixEQz10d2VjLERD
PWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
YnV0aW9uUG9pbnSGTWh0dHA6Ly9wbGF5c3RhdGlvbi50d2VjLm NvbS9DZXJ0RW5yb2xsL1RyYW5z
JTIwV29ybGQlMjBFbnRlcnRhaW5tZW50JTIwQ0EuY3JsMIIBQw YIKwYBBQUHAQEEggE1MIIBMTCB
vgYIKwYBBQUHMAKGgbFsZGFwOi8vL0NOPVRyYW5zJTIwV29ybG QlMjBFbnRlcnRhaW5tZW50JTIw
Q0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLE NOPVNlcnZpY2VzLENOPUNvbmZp
Z3VyYXRpb24sREM9dHdlYyxEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNl
cnRpZmljYXRpb25BdXRob3JpdHkwbgYIKwYBBQUHMAKGYmh0dH A6Ly9wbGF5c3RhdGlvbi50d2Vj
LmNvbS9DZXJ0RW5yb2xsL3BsYXlzdGF0aW9uLnR3ZWMuY29tX1 RyYW5zJTIwV29ybGQlMjBFbnRl
cnRhaW5tZW50JTIwQ0EuY3J0MCkGA1UdJQQiMCAGCCsGAQUFBw MCBggrBgEFBQcDBAYKKwYBBAGC
NwoDBDA1BgkrBgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCC sGAQUFBwMEMAwGCisGAQQBgjcK
AwQwRgYDVR0RBD8wPaAmBgorBgEEAYI3FAIDoBgMFmNnaGVyY2 9pYXNhZG1AdHdlYy5jb22BE2Nn
aGVyY29pYXNAdHdlYy5jb20wDQYJKoZIhvcNAQEFBQADggEBAL m3EGcuAZBnu1frie00VAK5/dwL
0EUhqxVvh3o0mi/4gSyplWe/FxyIlNO8+V99bqvDvX/bgPoNRybtCZhaWTSLLxmGWfJXjCxtTYCK
ioO508JfEeyJP1T17WI0Aa50S9MsDfqZP6kMCnkVsTnUIPSwQE rEoRJQvMbUABJVfRRHRU7w5P64
F1ZgWcYDILHeEB6j6tvspwdmfETTMmXK29UQtkVrDeOg9eF/ITHTqUJfItqXpze6dBakLEj4Cme/
C06Nt8Voxr4Z3GIRCmMruNnNIPwXymyFqdE1NI+b/3/c9OjGDtCwF69CNlme7LpHeM81sj5FJD+l
i8vJRmvDPN8xggK0MIICsAIBATBgMFIxEzARBgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/Is
ZAEZFgR0d2VjMSUwIwYDVQQDExxUcmFucyBXb3JsZCBFbnRlcn RhaW5tZW50IENBAgoXRibQAAAA
AAFyMAkGBSsOAwIaBQCgggGqMBgGCSqGSIb3DQEJAzELBgkqhk iG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTA0MDkyMjEzMzEzNlowIwYJKoZIhvcNAQkEMRYEFAI77U LVSi5p5+FNM95J9sIW1czkMGcG
CSqGSIb3DQEJDzFaMFgwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAw ICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAoGCC qGSIb3DQIFMG8GCSsGAQQBgjcQ
BDFiMGAwUjETMBEGCgmSJomT8ixkARkWA2NvbTEUMBIGCgmSJo mT8ixkARkWBHR3ZWMxJTAjBgNV
BAMTHFRyYW5zIFdvcmxkIEVudGVydGFpbm1lbnQgQ0ECChdGJt AAAAAAAXIwcQYLKoZIhvcNAQkQ
AgsxYqBgMFIxEzARBgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZFgR0d2VjMSUwIwYD
VQQDExxUcmFucyBXb3JsZCBFbnRlcnRhaW5tZW50IENBAgoXRi bQAAAAAAFyMA0GCSqGSIb3DQEB
AQUABIGAeT0OtjMEkVJTvBIKc90Vb8b6dKMxmYGG62L0+ncYRc O/FybV/c0UtfB/Uhw0uxew3HZC
/Rd49Rg12YIGw+/qDtkVJKgfOLHTbQ/+uRAq//t4nR7c1WzIdEfRGcIH+raz/t65gjYvYQYt0ctn
87ZFzRAKf7SL/aOYDxudU9VJBvMAAAAAAAA=

------=_NextPart_000_0000_01C4A086.F4B71EC0--

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode