[Snort-users] Php script for deleting alerts

This is a discussion on [Snort-users] Php script for deleting alerts within the Snort forums, part of the System Security and Security Related category; This is a cryptographically signed message in MIME format. --------------ms080000070906040107040302 Content-Type: text/plain; charset=ISO-8859-1; format=flowed ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] Php script for deleting alerts

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-22-2006
Paul Schmehl
 
Posts: n/a
Default [Snort-users] Php script for deleting alerts
This is a cryptographically signed message in MIME format.

--------------ms080000070906040107040302
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I have written a php script for deleting alerts from a mysql db when
you're using base to view snort. (The script uses schema 106 for mysql.
It hasn't been tested with any other schema.) It's a fairly simple
script, with a handful of options, and it can (and should) use a conf
file, at least for the db userid and password. This is a use at your
own risk, beta script, so if you're not into testing and trying things
out, you don't want to get a copy.

If you are interested in testing this script, let me know, and I'll send
you a copy. (There's actually three files; the script, a conf file and
a sql script for creating a table in the db.) If there's enough
interest, I'll include it as a tarball download from our ntsug website,
just as I do my archive script.

The script does one thing - deletes all alerts for a single IP (both
source and destination events), regardless of what those alerts are. If
there's an interest, I'd be willing to work on further functionality.
At the present time it does not delete discrete types of alerts. Nor
will it delete alerts associated with more than one IP address. IOW,
you can't delete alerts for a range of IPs (CIDR or otherwise). It
should also be used with caution, since you're exposing a userid and
password to your database (so set your perms tightly and control access,
yada, yada, yada.)

I wrote this script because I got tired of deleting large numbers of
portscanning events from base, 10,000 or so at a time. This script has
successfully deleted 500,000 events (associated with one IP) in a short
amount of time. Run times are about six times longer on mysql 3.x than
they are on mysql 4.x. I haven't tested mysql 5.x.

Here's some of the times I've been getting. (FreeBSD 6.0 dual AMD
processors, 2GB ram, mysql 4.1.19.) YMMV depending on hardware and
version of mysql.

php delete_alerts.php -c delete_alerts.conf -i 72.32.58.187
The 82269 alerts associated with 72.32.58.187 were deleted from 7 tables
in 9 seconds

php delete_alerts.php -c delete_alerts.conf -i 68.142.213.132
The 16675 alerts associated with 68.142.213.132 were deleted from 7
tables in 2 seconds

php delete_alerts.php -c delete_alerts.conf -i 140.129.37.154
The 1811 alerts associated with 140.129.37.154 were deleted from 7
tables in 1 seconds

php delete_alerts.php -c delete_alerts.conf -i 68.94.75.19
The 1685 alerts associated with 68.94.75.19 were deleted from 7 tables
in 2 seconds

--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--------------ms080000070906040107040302
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCS qGSIb3DQEHAQAAoIIOyjCC
A9gwggNBoAMCAQICEEHsHz2nFAeWxPbVDN3RD2UwDQYJKoZIhv cNAQEFBQAwgcExCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1 UECxMzQ2xhc3MgMiBQdWJs
aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIE cyMTowOAYDVQQLEzEoYykg
MTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIH VzZSBvbmx5MR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4XDTk5MDMzMTAwMD AwMFoXDTA5MDMzMDIzNTk1
OVowgeoxJzAlBgNVBAoTHlRoZSBVbml2ZXJzaXR5IG9mIFRleG FzIFN5c3RlbTEfMB0GA1UE
CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVG VybXMgb2YgdXNlIGF0IGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpOTkxMjAwBg NVBAsTKUNsYXNzIDIgQ0Eg
LSBPblNpdGUgSW5kaXZpZHVhbCBTdWJzY3JpYmVyMS0wKwYDVQ QDEyRUaGUgVW5pdmVyc2l0
eSBvZiBUZXhhcyBhdCBEYWxsYXMgQ0EwgZ8wDQYJKoZIhvcNAQ EBBQADgY0AMIGJAoGBAL/q
74frHgrBAPkiEcHRwczbetq+NtJwYDBg5RngUy819MmoKQXW3j 2d8waaZH2+0YdUeJv/onjx
+4erw/yHTMJJQQ3hwNKl1/x+/0JRTnTzAdVoc6VdBDH45iklY6gjmkRqgYsPsDnx79tGWMO6
uM9L83rBokmVgyNDupsajzKFAgMBAAGjgaUwgaIwKQYDVR0RBC IwIKQeMBwxGjAYBgNVBAMT
EVByaXZhdGVMYWJlbDEtMTQwMBEGCWCGSAGG+EIBAQQEAwIBBj BEBgNVHSAEPTA7MDkGC2CG
SAGG+EUBBwEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3Ln ZlcmlzaWduLmNvbS9SUEEw
DwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEAUwm 13LK2
idEgUIPJOHncyAiySb+4U4Nvisyy5Hp8/KPoD19hXl+XBJUSWtKVASLxvO3xVLZUplQYoZ1U
vAZpBMcCITeigjmIp6ygn+iDGV2SSDkaWYIkIEO8hpUS3IN04e bjE75qpIcAMTEjByWbr7os
UZEOWaajF4jStM5UFxwwggVzMIIE3KADAgECAhAhQ2wPNrJWs2 gXrRmRcAj6MA0GCSqGSIb3
DQEBBAUAMIHqMScwJQYDVQQKEx5UaGUgVW5pdmVyc2l0eSBvZi BUZXhhcyBTeXN0ZW0xHzAd
BgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBA sTMlRlcm1zIG9mIHVzZSBh
dCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTk5MT IwMAYDVQQLEylDbGFzcyAy
IENBIC0gT25TaXRlIEluZGl2aWR1YWwgU3Vic2NyaWJlcjEtMC sGA1UEAxMkVGhlIFVuaXZl
cnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFzIENBMB4XDTA1MDgxMD AwMDAwMFoXDTA2MDgxMDIz
NTk1OVowgfQxJzAlBgNVBAoUHlRoZSBVbml2ZXJzaXR5IG9mIF RleGFzIFN5c3RlbTEtMCsG
A1UECxQkVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgYXQgRGFsbG FzIENBMUYwRAYDVQQLEz13
d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIEluY29ycC 4gYnkgUmVmLixMSUFCLkxU
RChjKTk5MRgwFgYDVQQLFA9NYWlsIFN0b3AgLSBVVEQxFTATBg NVBAMTDFBhdWwgU2NobWVo
bDEhMB8GCSqGSIb3DQEJARYScGF1bHNAdXRkYWxsYXMuZWR1MI GfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDEoeaWOSJTLA4v6OJEuCfJukxz2ljvM2G7Co vCFsCYK7FnYSzTjFAk8Vhe
+STjF4ehWIMnyGzWHYP6Vude2sWSxsXvUANOsjNKeWZ5rSjFS5 2u+1JU2IiIiwISnlAmOKC9
eqXGq7iIPz35w3VbpxPeGe6GWK4ZfexTKSQtfPYfSQIDAQABo4 ICDDCCAggwCQYDVR0TBAIw
ADAdBgNVHREEFjAUgRJwYXVsc0B1dGRhbGxhcy5lZHUwggEkBg NVHSAEggEbMIIBFzCCARMG
C2CGSAGG+EUBBwEGMIIBAjArBggrBgEFBQcCARYfaHR0cHM6Ly 93d3cudmVyaXNpZ24uY29t
L3JwYS1rcjCB0gYIKwYBBQUHAgIwgcUagcJOT1RJQ0U6IFByaX ZhdGUga2V5IG1heSBiZSBy
ZWNvdmVyZWQgYnkgVmVyaVNpZ24ncyBjdXN0b21lciB3aG8gbW F5IGJlIGFibGUgdG8gZGVj
cnlwdCBtZXNzYWdlcyB5b3Ugc2VuZCB0byBjZXJ0aWZpY2F0ZS Bob2xkZXIuICBVc2UgaXMg
c3ViamVjdCB0byB0ZXJtcyBhdCBodHRwczovL3d3dy52ZXJpc2 lnbi5jb20vcnBhLWtyIChj
KTk5LjARBglghkgBhvhCAQEEBAMCB4AwdQYDVR0fBG4wbDBqoG igZoZkaHR0cDovL29uc2l0
ZWNybC52ZXJpc2lnbi5jb20vVGhlVW5pdmVyc2l0eW9mVGV4YX NTeXN0ZW1UaGVVbml2ZXJz
aXR5b2ZUZXhhc2F0RGFsbGFzQ0EvTGF0ZXN0Q1JMLmNybDALBg NVHQ8EBAMCB4AwHQYDVR0l
BBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBA UAA4GBAEHYOgkUsyvG/DYG
FAKSJ+IqUY4NVstEHCKHim3Cckq0Chxf+yRQB4tvOrwPTFAHlM gqJKr4yVXEvwJmhAvJtO/V
nYex/brnBVky3UI288HXzk7439zbvmmczLZmOhsR3A3TnKHX9vdTmJ7 sxWExDszRQntTfoUY
cQihaFVOqZ9sMIIFczCCBNygAwIBAgIQPzPhdzYQCWxtZCkhSw OckTANBgkqhkiG9w0BAQQF
ADCB6jEnMCUGA1UEChMeVGhlIFVuaXZlcnNpdHkgb2YgVGV4YX MgU3lzdGVtMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZX JtcyBvZiB1c2UgYXQgaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYyk5OTEyMDAGA1 UECxMpQ2xhc3MgMiBDQSAt
IE9uU2l0ZSBJbmRpdmlkdWFsIFN1YnNjcmliZXIxLTArBgNVBA MTJFRoZSBVbml2ZXJzaXR5
IG9mIFRleGFzIGF0IERhbGxhcyBDQTAeFw0wNTA4MTAwMDAwMD BaFw0wNjA4MTAyMzU5NTla
MIH0MScwJQYDVQQKFB5UaGUgVW5pdmVyc2l0eSBvZiBUZXhhcy BTeXN0ZW0xLTArBgNVBAsU
JFRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIGF0IERhbGxhcyBDQT FGMEQGA1UECxM9d3d3LnZl
cmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyBJbmNvcnAuIGJ5IF JlZi4sTElBQi5MVEQoYyk5
OTEYMBYGA1UECxQPTWFpbCBTdG9wIC0gVVREMRUwEwYDVQQDEw xQYXVsIFNjaG1laGwxITAf
BgkqhkiG9w0BCQEWEnBhdWxzQHV0ZGFsbGFzLmVkdTCBnzANBg kqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA3kw5bRGnSgWiYrAFsDKH4M+0r3YOazqaJ+NCzHzSYc i2dgE2thVNAGe9i4xLBL8I
ZX7i5HkR6mTit9/ovF/SUCft+2UapqYEu1sLPKuqEHfA2p8c5mjkJHnUYz2KR+4Z1Utvm TmN
NwdaWfWfCzL/stJfR/qpNNqZLaDpBiytj4ECAwEAAaOCAgwwggIIMAkGA1UdEwQCMAAw HQYD
VR0RBBYwFIEScGF1bHNAdXRkYWxsYXMuZWR1MIIBJAYDVR0gBI IBGzCCARcwggETBgtghkgB
hvhFAQcBBjCCAQIwKwYIKwYBBQUHAgEWH2h0dHBzOi8vd3d3Ln ZlcmlzaWduLmNvbS9ycGEt
a3IwgdIGCCsGAQUFBwICMIHFGoHCTk9USUNFOiBQcml2YXRlIG tleSBtYXkgYmUgcmVjb3Zl
cmVkIGJ5IFZlcmlTaWduJ3MgY3VzdG9tZXIgd2hvIG1heSBiZS BhYmxlIHRvIGRlY3J5cHQg
bWVzc2FnZXMgeW91IHNlbmQgdG8gY2VydGlmaWNhdGUgaG9sZG VyLiAgVXNlIGlzIHN1Ympl
Y3QgdG8gdGVybXMgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY2 9tL3JwYS1rciAoYyk5OS4w
EQYJYIZIAYb4QgEBBAQDAgeAMHUGA1UdHwRuMGwwaqBooGaGZG h0dHA6Ly9vbnNpdGVjcmwu
dmVyaXNpZ24uY29tL1RoZVVuaXZlcnNpdHlvZlRleGFzU3lzdG VtVGhlVW5pdmVyc2l0eW9m
VGV4YXNhdERhbGxhc0NBL0xhdGVzdENSTC5jcmwwCwYDVR0PBA QDAgUgMB0GA1UdJQQWMBQG
CCsGAQUFBwMEBggrBgEFBQcDAjANBgkqhkiG9w0BAQQFAAOBgQ ArtwI07378ACzBYQlXjg4u
4Ex2FlHoY3C5cWuTkXyzqJyU2ttpgxzzMTjYgqNeHdA3I360rC DSp/LCuNKhLQ9PdU/9LcU3
duD6KJU3cG4UrmfUXecXFdWj2wnp0Pkiq6YoSPQQ946dpq1BvW xE2W8J9f09tuR3Jjfgf1ST
+qMgwTGCBIcwggSDAgEBMIH/MIHqMScwJQYDVQQKEx5UaGUgVW5pdmVyc2l0eSBvZiBUZXhh
cyBTeXN0ZW0xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldH dvcmsxOzA5BgNVBAsTMlRl
cm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb2 0vcnBhIChjKTk5MTIwMAYD
VQQLEylDbGFzcyAyIENBIC0gT25TaXRlIEluZGl2aWR1YWwgU3 Vic2NyaWJlcjEtMCsGA1UE
AxMkVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFzIE NBAhAhQ2wPNrJWs2gXrRmR
cAj6MAkGBSsOAwIaBQCgggLdMBgGCSqGSIb3DQEJAzELBgkqhk iG9w0BBwEwHAYJKoZIhvcN
AQkFMQ8XDTA2MDUyMjIxNDEzMVowIwYJKoZIhvcNAQkEMRYEFB 3ZbISBlvGg7aRD3zwHOpge
co3iMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKo ZIhvcNAwICAgCAMA0GCCqG
SIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIIBEQ YJKwYBBAGCNxAEMYIBAjCB
/zCB6jEnMCUGA1UEChMeVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXM gU3lzdGVtMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZX JtcyBvZiB1c2UgYXQgaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYyk5OTEyMDAGA1 UECxMpQ2xhc3MgMiBDQSAt
IE9uU2l0ZSBJbmRpdmlkdWFsIFN1YnNjcmliZXIxLTArBgNVBA MTJFRoZSBVbml2ZXJzaXR5
IG9mIFRleGFzIGF0IERhbGxhcyBDQQIQPzPhdzYQCWxtZCkhSw OckTCCARMGCyqGSIb3DQEJ
EAILMYIBAqCB/zCB6jEnMCUGA1UEChMeVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXM gU3lzdGVt
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQ YDVQQLEzJUZXJtcyBvZiB1
c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYy k5OTEyMDAGA1UECxMpQ2xh
c3MgMiBDQSAtIE9uU2l0ZSBJbmRpdmlkdWFsIFN1YnNjcmliZX IxLTArBgNVBAMTJFRoZSBV
bml2ZXJzaXR5IG9mIFRleGFzIGF0IERhbGxhcyBDQQIQPzPhdz YQCWxtZCkhSwOckTANBgkq
hkiG9w0BAQEFAASBgGUScBej8sQ3QNQJOq1ckjkCMRioD2fw6B Cun7lT3xjBjDKb4BzMD1hK
wPugrtaJgJam1lyxFmP3q+LfuS+iSVIV6PhPG2loH6sUxH373F L61k70Z1ZeuRXG0wn/oos0
TPaAnEl/OXCP7UErboP+Vsm7Xl9RCuusrjZNhR4nshxwAAAAAAAA
--------------ms080000070906040107040302--


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 07:39 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0