|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Snort-users] clearing logs in acid console
CGhercoias
TWEC.COM
Date: Wed Sep 22 2004 - 08:31:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'm using the following script to delete events from snort database.
Use it at your own risk.
Before use it do a backup of the database with: mysqldump -opt
snort_database > /backup/snort_backup
Hope this helps.
#!/bin/bash
#
# Script to delete old data from the snort sql database.
# NOTE! Before you can use this script, you must change the defines
# in the following lines to match those at your company.
#
# A few constants needed. User with R/W privileges to snort database.
MYUSER="database_user"
MYPASS="password"
SNORTDB="snort_database"
# Now define the public IP address ranges used by your company.
# If you have more than one discontiguous range, you'll need to edit
# the SQL generation code lower down in this script. It's not hard to do.
IPLOW="192.168.0.0"
IPHIGH="192.168.0.254"
function usage() {
cat <<EOF >&2
Usage: $0 [ -<options> ] hours
Deletes old data in the snort database, keeping entries received within
the past <hours>. You can limit the data deleted by signature or ip,
using the specified options.
Options:
-b Debug SQL - Prints executed SQL to stderr
-d Use destination IP with -r or -i; default is source.
-i "ip" Have the given source IP exclusive of -r.
-n Don't actually do anything; just look up data.
-o Optimize the tables after deleting.
-r Remote source IPs only (incoming, not outgoing).
-s "x" Signature must be like '%x%'
EOF
}
if TEMP=`getopt -o bdi:nors: -n "$0" -- "$"`; [ $? -ne 0 ]; then
usage; exit 1
fi
eval set -- "$TEMP"
LIKE=""; REMOTES=""; IP=""; SRCDST="ip_src"; NOEXEC=""; DBG=""; OPTIM=""
while true ; do
if [ "$1" = "-b" ]; then DBG=1; shift
elif [ "$1" = "-d" ]; then SRCDST="ip_dst"; shift
elif [ "$1" = "-i" ]; then IP="$2"; shift 2
elif [ "$1" = "-n" ]; then NOEXEC=1; shift
elif [ "$1" = "-o" ]; then OPTIM=1; shift
elif [ "$1" = "-r" ]; then REMOTES=1; shift
elif [ "$1" = "-s" ]; then LIKE="$2"; shift 2
elif [ "$1" = "--" ]; then shift; break
else echo "Internal getopt error?" >&2; exit 2
fi
done
if [ $# -ne 1 ]; then
usage; exit 1
elif [ -n "$IP" -a -n "$REMOTES" ]; then
echo -e "\n\nCannot specify both -i and -r.\n" >&2
usage; exit 1
elif HOURS="$1"; ! echo "$HOURS" | grep -q '^[0-9]\+$'; then
echo -e "\n\nThe <Hours> argument must be a non-negative integer.\n" >&2
usage; exit 1
elif [ -z "$IP" -a -z "$REMOTES" -a -z "$LIKE" -a $(($HOURS+0)) = 0 ]; then
echo -e "\n\nMust specify at least one of either -i, -r or -s" >&2
echo -e "when the <hours> argument is zero (else delete entire DB!).\n"
>&2
usage; exit 1
fi
function makequery () {
local wa="WHERE"
echo -n "SELECT event.sid, event.cid FROM "
if [ -n "$IP$REMOTES" ]; then echo -n "iphdr, "; fi
if [ -n "$LIKE" ]
then echo -n "signature, event"
else echo -n "event"
fi
if [ $HOURS -gt 0 ]; then
echo -en "\n $wa event.timestamp < NOW() - INTERVAL '$HOURS' HOUR"
wa="AND"
fi
if [ -n "$LIKE" ]; then
if ! echo "$LIKE" | grep -q '%'; then
LIKE="%${LIKE}%"
fi
echo -e "\n $wa signature.sig_name LIKE '$LIKE'"
echo -n " AND signature.sig_id = event.signature"; wa="AND"
fi
if [ -n "$IP" ]; then
echo -e "\n $wa iphdr.$SRCDST = INET_ATON('$IP')"
elif [ -n "$REMOTES" ]; then
cat <<EOF
$wa iphdr.$SRCDST NOT BETWEEN INET_ATON('$IPLOW')
AND INET_ATON('$IPHIGH')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('10.0.0.0')
AND INET_ATON('10.255.255.255')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('192.168.0.0')
AND INET_ATON('192.168.255.255')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('172.0.0.0')
AND INET_ATON('172.255.255.255')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('65.88.87.64')
AND INET_ATON('65.88.87.127')
EOF
fi
if [ -n "$IP$REMOTES" ]
then echo " AND iphdr.sid = event.sid AND iphdr.cid = event.cid;"
else echo ";"
fi
}
# This takes the output of makequery, pipes it through mysql to get the
# list of rows to delete, generates the delete statements for each table,
# then optionally adds optimize commands.
function makesql () {
local rhs table
rhs='s%^\([0-9]\+\)[[:space:]]\+\([0-9]\+\)$%\
'
for table in data event icmphdr tcphdr udphdr iphdr opt; do
rhs="${rhs}DELETE FROM $table WHERE sid='\1' AND cid='\2';\\
"
done
rhs="$rhs%"
makequery | mysql --user="$MYUSER" --password="$MYPASS" -s -B "$SNORTDB"
|\
sed -e "$rhs"
if [ -n "$OPTIM" ]; then
# Order tables by approximate size.
for table in icmphdr udphdr opt event tcphdr iphdr data; do
echo "OPTIMIZE TABLE $table;"
done
fi
}
#########################################################################
# #
# Run the query and output the results... #
# #
#########################################################################
if [ -n "$DBG" ]; then
echo -e "\nSQL Query:\n" >&2; makequery >&2; echo >&2
fi
if [ -n "$NOEXEC" ]
then makesql
else makesql | mysql --user="$MYUSER" --password="$MYPASS" "$SNORTDB"
Thank you,
___________________________
Catalin A. Ghercoias
WEB/Network Security Administrator
Office Phone: +(518) 452-1242 Ext.7435
Fax: (518) 452-4768
-----Original Message-----
From: snort-users-adminlists.sourceforge.net
[mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Jose Maria
Lopez
Sent: Tuesday, September 21, 2004 8:05 AM
To: snort-userslists.sourceforge.net
Subject: RE: [Snort-users] clearing logs in acid console
El vie, 17 de 09 de 2004 a las 20:37, support escribió:
> Hi jose
>
> Thanks for your help
>
> But I am facing problem if snort is that the /usr partition is going
> 100% utilized becoz of which acid console is not showing any new
> alerts . can u tell me how and which files to delete from this
> partition in order to work out.
>
> Regards,
> raj
You could delete the whole snort directory under the mysql directory, but
then you will have to create the tables for snort and acid from new. Check
this directory and see if you can delete it safely and create the tables for
acid from new.
Maybe someone can give you better advice.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouacbgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com
ESPAÑA
The only people for me are the mad ones -- the ones who are mad to live, mad
to talk, mad to be saved, desirous of everything at the same time, the ones
who never yawn or say a commonplace thing, but burn, burn, burn like
fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project
Admins to receive an Apple iPod Mini FREE for your judgement on who ports
your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listort-users
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- application/x-pkcs7-signature attachment: smime.p7s
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]