|
Home > Archive > Snort > September 2004 > [Snort-users] clearing logs in acid console
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] clearing logs in acid console
|
|
| support 2004-09-22, 10:25 pm |
| This is a multi-part message in MIME format.
------=_NextPart_000_0122_01C49C52.AF9F71D0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi
Can anyone tell me how to clear the contains that are displayed on ACID
viewer eg such as ICMP traffic. Becoz when I try to see the traffic for
icmp it shows me logs right from the 1st page. In short what to do if I
want only the recent logs to be displayed on ACID viewer and all
previous logs should not be displayed.
Regards,
Raj
________________________________________
________________________________
________________________________________
_____________
SITEL INDIA LTD.
4 A, Park Davis Complex(main)
Sakinaka,
Andheri-Kurla Road,
Mumbai 4000072,
India.
Tel : 91-22-2820131,28522657
FAX : 91-22-28561659
IPLC :402-536-4179
*e-mail: <mailto:support@sitel-india.com> support@sitel-india.com
------=_NextPart_000_0122_01C49C52.AF9F71D0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml@01C49C52.AE922080">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"country-region"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place" downloadurl=3D"http://www.5iantlavalamp.com/"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"Street"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"address"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"stockticker"/>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;
mso-font-charset:2;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:0 268435456 0 0 -2147483648 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:1627421319 -2147483648 8 0 66047 0;}
@font-face
{font-family:"Small Fonts";
mso-font-alt:"Times New Roman";
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:auto;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:647 0 0 0 159 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
span.EmailStyle17
{mso-style-type:personal-compose;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:windowtext;}
span.GramE
{mso-style-name:"";
mso-gram-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hi <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Can anyone tell me how to clear <span =
class=3DGramE>the
contains</span> that are displayed on ACID viewer eg such as ICMP =
traffic. Becoz
when I try to see the traffic for icmp it shows me logs right from the =
1<sup>st</sup>
page. In short what to do if I want only the recent logs to be displayed =
on
ACID viewer and all previous logs should not be =
displayed.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Regards,<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Raj <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;mso-no-proof:yes'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><font
size=3D1 color=3Dred face=3D"Small Fonts"><span =
style=3D'font-size:2.0pt;font-family:
"Small Fonts";mso-bidi-font-family:"Small =
Fonts";color:red;mso-no-proof:yes'>______________________________________=
________________________________________
_________________________________=
______________<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><b><font
size=3D3 color=3Dblue face=3D"Trebuchet MS"><span lang=3DEN-GB =
style=3D'font-size:12.0pt;
font-family:"Trebuchet =
MS";mso-bidi-font-family:Arial;color:blue;mso-ansi-language:
EN-GB;font-weight:bold;mso-bidi-font-style:italic;mso-no-proof:yes'>SITEL=
INDIA
</span></font></b><st1:stockticker
style=3D"BACKGROUND-POSITION: left bottom; BACKGROUND-IMAGE: =
url(res://ietag.dll/#34/#1001); BACKGROUND-REPEAT: =
repeat-x"><st1:stockticker><b><font
color=3Dblue face=3D"Trebuchet MS"><span lang=3DEN-GB =
style=3D'font-family:"Trebuchet MS";
=
mso-bidi-font-family:Arial;color:blue;mso-ansi-language:EN-GB;font-weight=
:
=
bold;mso-bidi-font-style:italic;mso-no-proof:yes'>LTD</span></font></b></=
st1:stockticker><b><font
color=3Dblue face=3D"Trebuchet MS"><span lang=3DEN-GB =
style=3D'font-family:"Trebuchet MS";
=
mso-bidi-font-family:Arial;color:blue;mso-ansi-language:EN-GB;font-weight=
:
=
bold;mso-bidi-font-style:italic;mso-no-proof:yes'>.</span></font></b></st=
1:stockticker><font
size=3D1 color=3Dred face=3D"Small Fonts"><span =
style=3D'font-size:2.0pt;font-family:
"Small Fonts";mso-bidi-font-family:"Small =
Fonts";color:red;mso-no-proof:yes'><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><font
size=3D1 color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;font-family:
"Trebuchet MS";mso-bidi-font-family:Arial;color:gray;mso-no-proof:yes'>4 =
A,
Park Davis Complex(main)<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><font
size=3D1 color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;font-family:
"Trebuchet =
MS";mso-bidi-font-family:Arial;color:gray;mso-no-proof:yes'>Sakinaka,<o:p=
></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><st1:Street><st1=
:address><font
size=3D1 color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;
font-family:"Trebuchet =
MS";mso-bidi-font-family:Arial;color:gray;mso-no-proof:
yes'>Andheri-Kurla Road</span></font></st1:address></st1:Street><font =
size=3D1
color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;font-family:"Trebuchet MS";
mso-bidi-font-family:Arial;color:gray;mso-no-proof:yes'>,<o:p></o:p></spa=
n></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><font
size=3D1 color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;font-family:
"Trebuchet =
MS";mso-bidi-font-family:Arial;color:gray;mso-no-proof:yes'>Mumbai
4000072,<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><st1:country-reg=
ion><st1:place><font
size=3D1 color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;
font-family:"Trebuchet =
MS";mso-bidi-font-family:Arial;color:gray;mso-no-proof:
yes'>India</span></font></st1:place></st1:country-region><font =
size=3D1
color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;font-family:"Trebuchet MS";
mso-bidi-font-family:Arial;color:gray;mso-no-proof:yes'>. =
</span></font><font
color=3Dnavy><span =
style=3D'color:navy;mso-no-proof:yes'><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><font
size=3D1 color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;font-family:
"Trebuchet =
MS";mso-bidi-font-family:Arial;color:gray;mso-no-proof:yes'>Tel<span
style=3D'mso-spacerun:yes'> </span>:
91-22-2820131,28522657<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><font
size=3D1 color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;font-family:
"Trebuchet =
MS";mso-bidi-font-family:Arial;color:gray;mso-no-proof:yes'>FAX<span
style=3D'mso-spacerun:yes'> </span>: =
91-22-28561659<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-pagination:none;mso-layout-grid-align:none'><font
size=3D1 color=3Dgray face=3D"Trebuchet MS"><span =
style=3D'font-size:8.0pt;font-family:
"Trebuchet =
MS";mso-bidi-font-family:Arial;color:gray;mso-no-proof:yes'>IPLC<span
style=3D'mso-spacerun:yes'> </span>:402-536-4179<span
style=3D'mso-spacerun:yes'> </span></span></font><font =
color=3Dnavy
face=3D"Trebuchet MS"><span style=3D'font-family:"Trebuchet =
MS";color:navy;
mso-no-proof:yes'><o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D1 color=3Dred face=3DWingdings><span
style=3D'font-size:8.0pt;font-family:Wingdings;mso-bidi-font-family:Wingd=
ings;
color:red;mso-no-proof:yes'>-</span></font><u><font size=3D1 =
color=3Dblue
face=3DTahoma><span =
style=3D'font-size:8.0pt;font-family:Tahoma;color:blue;
mso-no-proof:yes'>e-mail: </span></font></u><span =
style=3D'mso-no-proof:yes'><a
href=3D"mailto:support@sitel-india.com"><font size=3D1 face=3D"Trebuchet =
MS"><span
style=3D'font-size:8.0pt;mso-bidi-font-size:12.0pt;font-family:"Trebuchet=
MS";
mso-bidi-font-family:Arial'>support@sitel-india.com</span></font></a></sp=
an><font
color=3Dblack face=3D"Trebuchet MS"><span =
style=3D'font-family:"Trebuchet MS";
color:black;mso-no-proof:yes'><o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt;mso-no-proof:yes'> </span><o:p></o:p></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_0122_01C49C52.AF9F71D0--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Jose Maria Lopez 2004-09-22, 10:25 pm |
| El jue, 16 de 09 de 2004 a las 21:37, support escribi=C3=B3:
> Hi=20
>=20
> =20
>=20
> Can anyone tell me how to clear the contains that are displayed on
> ACID viewer eg such as ICMP traffic. Becoz when I try to see the
> traffic for icmp it shows me logs right from the 1st page. In short
> what to do if I want only the recent logs to be displayed on ACID
> viewer and all previous logs should not be displayed.
You can delete the logs from the snort acid-console, just do a find
of the packets you want to delete and then use the delete all feature
of ACID.
--=20
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPA=C3=91A
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Jose Maria Lopez 2004-09-22, 10:25 pm |
| El vie, 17 de 09 de 2004 a las 20:37, support escribi=C3=B3:
> Hi jose
>=20
> Thanks for your help
>=20
> But I am facing problem if snort is that the /usr partition is going
> 100% utilized becoz of which acid console is not showing any new alerts
> . can u tell me how and which files to delete from this partition in
> order to work out.
>=20
> Regards,=20
> raj
You could delete the whole snort directory under the mysql directory,
but then you will have to create the tables for snort and acid from
new. Check this directory and see if you can delete it safely and
create the tables for acid from new.
Maybe someone can give you better advice.
--=20
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPA=C3=91A
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Jose Costa 2004-09-22, 10:25 pm |
| I would add a complete backup of mysql database before
the deletion....
My 2 cents...
JL
--- Jose Maria Lopez <jkerouac@bgsec.com> escreveu:
> El vie, 17 de 09 de 2004 a las 20:37, support
> escribió:
> partition is going
> showing any new alerts
> this partition in
>
> You could delete the whole snort directory under the
> mysql directory,
> but then you will have to create the tables for
> snort and acid from
> new. Check this directory and see if you can delete
> it safely and
> create the tables for acid from new.
>
> Maybe someone can give you better advice.
>
> --
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> jkerouac@bgsec.com
> bgSEC Seguridad y Consultoria de Sistemas
> Informaticos
> http://www.bgsec.com
> ESPAÑA
>
> The only people for me are the mad ones -- the ones
> who are mad to live,
> mad to talk, mad to be saved, desirous of everything
> at the same time,
> the ones who never yawn or say a commonplace thing,
> but burn, burn, burn
> like fabulous yellow Roman candles.
> -- Jack Kerouac, "On the Road"
>
>
>
>
-------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE.
> Be one of 170
> Project Admins to receive an Apple iPod Mini FREE
> for your judgement on
> who ports your project to Linux PPC the best.
> Sponsored by IBM.
> Deadline: Sept. 24. Go here:
> http://sf.net/ppc_contest.php
> ________________________________________
_______
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists...nfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf....ist=snort-users
>
________________________________________
_______________
Yahoo! Messenger 6.0 - jogos, emoticons sonoros e muita diversão. Instale agora!
http://br.download.yahoo.com/messenger/
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
| This is a multi-part message in MIME format.
------=_NextPart_000_0000_01C4A086.F4B71EC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I'm using the following script to delete events from snort database.
Use it at your own risk.=20
Before use it do a backup of the database with: mysqldump -opt
snort_database > /backup/snort_backup
Hope this helps.
#!/bin/bash
#
# Script to delete old data from the snort sql database.
# NOTE! Before you can use this script, you must change the defines
# in the following lines to match those at your company.
#
# A few constants needed. User with R/W privileges to snort database.
MYUSER=3D"database_user"
MYPASS=3D"password"
SNORTDB=3D"snort_database"
# Now define the public IP address ranges used by your company.
# If you have more than one discontiguous range, you'll need to edit
# the SQL generation code lower down in this script. It's not hard to =
do.
IPLOW=3D"192.168.0.0"
IPHIGH=3D"192.168.0.254"
function usage() {
cat <<EOF >&2
Usage: $0 [ -<options> ] hours
Deletes old data in the snort database, keeping entries received within
the past <hours>. You can limit the data deleted by signature or ip,
using the specified options.
Options:
-b Debug SQL - Prints executed SQL to stderr
-d Use destination IP with -r or -i; default is =
source.
-i "ip" Have the given source IP exclusive of -r.
-n Don't actually do anything; just look up data.
-o Optimize the tables after deleting.
-r Remote source IPs only (incoming, not outgoing).
-s "x" Signature must be like '%x%'
EOF
}
if TEMP=3D`getopt -o bdi:nors: -n "$0" -- "$@"`; [ $? -ne 0 ]; then
usage; exit 1
fi
eval set -- "$TEMP"
LIKE=3D""; REMOTES=3D""; IP=3D""; SRCDST=3D"ip_src"; NOEXEC=3D""; =
DBG=3D""; OPTIM=3D""
while true ; do
if [ "$1" =3D "-b" ]; then DBG=3D1; shift
elif [ "$1" =3D "-d" ]; then SRCDST=3D"ip_dst"; shift
elif [ "$1" =3D "-i" ]; then IP=3D"$2"; shift 2
elif [ "$1" =3D "-n" ]; then NOEXEC=3D1; shift
elif [ "$1" =3D "-o" ]; then OPTIM=3D1; shift
elif [ "$1" =3D "-r" ]; then REMOTES=3D1; shift
elif [ "$1" =3D "-s" ]; then LIKE=3D"$2"; shift 2
elif [ "$1" =3D "--" ]; then shift; break
else echo "Internal getopt error?" >&2; exit 2
fi
done
if [ $# -ne 1 ]; then
usage; exit 1
elif [ -n "$IP" -a -n "$REMOTES" ]; then
echo -e "\n\nCannot specify both -i and -r.\n" >&2
usage; exit 1
elif HOURS=3D"$1"; ! echo "$HOURS" | grep -q '^[0-9]\+$'; then
echo -e "\n\nThe <Hours> argument must be a non-negative integer.\n" =
>&2
usage; exit 1
elif [ -z "$IP" -a -z "$REMOTES" -a -z "$LIKE" -a $(($HOURS+0)) =3D 0 ]; =
then
echo -e "\n\nMust specify at least one of either -i, -r or -s" >&2
echo -e "when the <hours> argument is zero (else delete entire =
DB!).\n"
>&2
usage; exit 1
fi
function makequery () {
local wa=3D"WHERE"
echo -n "SELECT event.sid, event.cid FROM "
if [ -n "$IP$REMOTES" ]; then echo -n "iphdr, "; fi
if [ -n "$LIKE" ]
then echo -n "signature, event"
else echo -n "event"
fi
if [ $HOURS -gt 0 ]; then
echo -en "\n $wa event.timestamp < NOW() - INTERVAL '$HOURS' =
HOUR"
wa=3D"AND"
fi
if [ -n "$LIKE" ]; then
if ! echo "$LIKE" | grep -q '%'; then
LIKE=3D"%${LIKE}%"
fi
echo -e "\n $wa signature.sig_name LIKE '$LIKE'"
echo -n " AND signature.sig_id =3D event.signature"; =
wa=3D"AND"
fi
if [ -n "$IP" ]; then
echo -e "\n $wa iphdr.$SRCDST =3D INET_ATON('$IP')"
elif [ -n "$REMOTES" ]; then
cat <<EOF
$wa iphdr.$SRCDST NOT BETWEEN INET_ATON('$IPLOW')
AND INET_ATON('$IPHIGH')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('10.0.0.0')
AND INET_ATON('10.255.255.255')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('192.168.0.0')
AND INET_ATON('192.168.255.255')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('172.0.0.0')
AND INET_ATON('172.255.255.255')
AND iphdr.$SRCDST NOT BETWEEN INET_ATON('65.88.87.64')
AND INET_ATON('65.88.87.127')
EOF
fi
if [ -n "$IP$REMOTES" ]
then echo " AND iphdr.sid =3D event.sid AND iphdr.cid =3D =
event.cid;"
else echo ";"
fi
}
# This takes the output of makequery, pipes it through mysql to get the
# list of rows to delete, generates the delete statements for each =
table,
# then optionally adds optimize commands.
function makesql () {
local rhs table
rhs=3D's%^\([0-9]\+\)[[:space:]]\+\([0-9]\+\)$%\
'
for table in data event icmphdr tcphdr udphdr iphdr opt; do
rhs=3D"${rhs}DELETE FROM $table WHERE sid=3D'\1' AND cid=3D'\2';\\
"
done
rhs=3D"$rhs%"
makequery | mysql --user=3D"$MYUSER" --password=3D"$MYPASS" -s -B =
"$SNORTDB"
|\
sed -e "$rhs"
if [ -n "$OPTIM" ]; then
# Order tables by approximate size.
for table in icmphdr udphdr opt event tcphdr iphdr data; do
echo "OPTIMIZE TABLE $table;"
done
fi
}
########################################
#################################=
# =
#
# Run the query and output the results... =
#
# =
#
########################################
#################################=
if [ -n "$DBG" ]; then
echo -e "\nSQL Query:\n" >&2; makequery >&2; echo >&2
fi
if [ -n "$NOEXEC" ]
then makesql
else makesql | mysql --user=3D"$MYUSER" --password=3D"$MYPASS" =
"$SNORTDB"=20
Thank you,
___________________________
Catalin A. Ghercoias
WEB/Network Security Administrator=20
Office Phone: +(518) 452-1242 Ext.7435
Fax: (518) 452-4768
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Jose Maria
Lopez
Sent: Tuesday, September 21, 2004 8:05 AM
To: snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] clearing logs in acid console
El vie, 17 de 09 de 2004 a las 20:37, support escribi=F3:
> Hi jose
>=20
> Thanks for your help
>=20
> But I am facing problem if snort is that the /usr partition is going=20
> 100% utilized becoz of which acid console is not showing any new=20
> alerts . can u tell me how and which files to delete from this=20
> partition in order to work out.
>=20
> Regards,
> raj
You could delete the whole snort directory under the mysql directory, =
but
then you will have to create the tables for snort and acid from new. =
Check
this directory and see if you can delete it safely and create the tables =
for
acid from new.
Maybe someone can give you better advice.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos =
http://www.bgsec.com
ESPA=D1A
The only people for me are the mad ones -- the ones who are mad to live, =
mad
to talk, mad to be saved, desirous of everything at the same time, the =
ones
who never yawn or say a commonplace thing, but burn, burn, burn like
fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 =
Project
Admins to receive an Apple iPod Mini FREE for your judgement on who =
ports
your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listort-users
------=_NextPart_000_0000_01C4A086.F4B71EC0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMC
GgUAMIAGCSqGSIb3DQEHAQAAoIILoTCCBNEw
ggO5oAMCAQICEF0RwlS/WpmpShXtwA/ IalwwDQYJKoZIhvcNAQEFBQAwUjETMBEGCgmSJom
T8ixk
ARkWA2NvbTEUMBIGCgmSJomT8ixkARkWBHR3ZWMx
JTAjBgNVBAMTHFRyYW5zIFdvcmxkIEVudGVy
dGFpbm1lbnQgQ0EwHhcNMDQwOTAxMTgyMTM5WhcN
MDkwOTAxMTgyODI3WjBSMRMwEQYKCZImiZPy
LGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEdHdl
YzElMCMGA1UEAxMcVHJhbnMgV29ybGQgRW50
ZXJ0YWlubWVudCBDQTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMFsRjpqI4VyZKV4
8JHFfuPxglD0JeF5ZgDfcQR7Y7NU6PPEAeh6lEnK
BkoZVSUF+PwHsE2FiBSLOoVKm8vRWCsYaB/M
dcTg3dNkgBFb6Ts9/8wLWt5O1VnPp41V/A6D5hj/SPJTqwIFfWTaie92d+ihpJT+4zkimIHJON0I
eCrr35LwYj6I8F7lK5awsoPUX2iKiiH24ftWR33Y
rFfauMk5Hlf8r2uRr2p8cKMS75XBMT3Lb1PP
aeLlRF6iEhw3PqdjEFSTxeyQgqrz4Fq3i0b16FOf
cYDvSQiucrhmqTvgr5sShFIjsDh4wJepR3fk
h1gd219veSqrasmWfAdQeGkCAwEAAaOCAaEwggGd
MBMGCSsGAQQBgjcUAgQGHgQAQwBBMAsGA1Ud
DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/ MB0GA1UdDgQWBBQVemhTUs9hPSXsaTegyW3TGSGi
fTCC
ATUGA1UdHwSCASwwggEoMIIBJKCCASCgggEchoHK
bGRhcDovLy9DTj1UcmFucyUyMFdvcmxkJTIw
RW50ZXJ0YWlubWVudCUyMENBLENOPXBsYXlzdGF0
aW9uLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl
MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
aWd1cmF0aW9uLERDPXR3ZWMsREM9Y29tP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/ YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Q
b2ludIZNaHR0cDovL3BsYXlzdGF0aW9uLnR3ZWMu
Y29tL0NlcnRFbnJvbGwvVHJhbnMlMjBXb3Js
ZCUyMEVudGVydGFpbm1lbnQlMjBDQS5jcmwwEAYJ
KwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF
BQADggEBAD3aDDnEo0GbBXXk7/0LuvIq1jf6o0JSx0xK3jz/M5pgXbgTglwI+kHwKDMvN1gfHquq
sZ8J8ORJ62KaIrPcZFYuDd8lkcuRCjWAq9388hy7
z4ZZRxlsk/WoVNCrQcTHb++2zaADbtw/DWfe
hUI0RSUhNIoGqQAt66WElTFPXarbHsUvJFp38ikf
Mo3ebPvVOxVHzEa5Okkzaivk92ngX2V1WOgP
s/ nV2YlP53fCnYGiWcdaiBorMDjLhgLBTvh88JS4o8
+Am1meRe0jER0+71wOOokeAlYqPVTDUTqX
LBACSz3A96K1c+SgFBLlsQaV5KvFXO5CNEvsuRp4
Zef53VAwggbIMIIFsKADAgECAgoXRibQAAAA
AAFyMA0GCSqGSIb3DQEBBQUAMFIxEzARBgoJkiaJ
k/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZ
FgR0d2VjMSUwIwYDVQQDExxUcmFucyBXb3JsZCBF
bnRlcnRhaW5tZW50IENBMB4XDTA0MDkwMzEx
NTIwMVoXDTA1MDkwMzExNTIwMVowgYIxEzARBgoJ
kiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/Is
ZAEZFgR0d2VjMQ4wDAYDVQQDEwVVc2VyczEhMB8G
A1UEAxMYR2hlcmNvaWFzLCBDYXRhbGluIChB
RE0pMSIwIAYJKoZIhvcNAQkBFhNjZ2hlcmNvaWFz
QHR3ZWMuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCzErJ4WOUdJxnhTY85eAnCWFO3
sUB9B/J6fjN7VWjt3Y5whVfq1B8O4T0ktxqL
pZeuZa/ Mx1m+wrJfpJHV4il1fU31VYEHbSD5a3NqqhT9iZP
FiG62s6R2fhY9K5TuOGk4fXdAOwXj
+EXyIaWfPRR1pzmDipXBdjAxucEYs1oGDQIDAQAB
o4ID8TCCA+0wCwYDVR0PBAQDAgWgMDYGCSqG
SIb3DQEJDwQpMCcwDQYIKoZIhvcNAwICATgwDQYI
KoZIhvcNAwQCATgwBwYFKw4DAgcwHQYDVR0O
BBYEFJMWHsfo99JXX6cxHfr/ yp8a3HiiMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQB
gjcVCIa5qkCE
mXOCvZUIgeTcYoPLlXBwgsK5U4KGsCsCAWQCAQIw
HwYDVR0jBBgwFoAUFXpoU1LPYT0l7Gk3oMlt
0xkhon0wggE1BgNVHR8EggEsMIIBKDCCASSgggEg
oIIBHIaBymxkYXA6Ly8vQ049VHJhbnMlMjBX
b3JsZCUyMEVudGVydGFpbm1lbnQlMjBDQSxDTj1w
bGF5c3RhdGlvbixDTj1DRFAsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs
Q049Q29uZmlndXJhdGlvbixEQz10d2VjLERD
PWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0
P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
YnV0aW9uUG9pbnSGTWh0dHA6Ly9wbGF5c3RhdGlv
bi50d2VjLmNvbS9DZXJ0RW5yb2xsL1RyYW5z
JTIwV29ybGQlMjBFbnRlcnRhaW5tZW50JTIwQ0Eu
Y3JsMIIBQwYIKwYBBQUHAQEEggE1MIIBMTCB
vgYIKwYBBQUHMAKGgbFsZGFwOi8vL0NOPVRyYW5z
JTIwV29ybGQlMjBFbnRlcnRhaW5tZW50JTIw
Q0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
Z3VyYXRpb24sREM9dHdlYyxEQz1jb20/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNz
PWNl
cnRpZmljYXRpb25BdXRob3JpdHkwbgYIKwYBBQUH
MAKGYmh0dHA6Ly9wbGF5c3RhdGlvbi50d2Vj
LmNvbS9DZXJ0RW5yb2xsL3BsYXlzdGF0aW9uLnR3
ZWMuY29tX1RyYW5zJTIwV29ybGQlMjBFbnRl
cnRhaW5tZW50JTIwQ0EuY3J0MCkGA1UdJQQiMCAG
CCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGC
NwoDBDA1BgkrBgEEAYI3FQoEKDAmMAoGCCsGAQUF
BwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcK
AwQwRgYDVR0RBD8wPaAmBgorBgEEAYI3FAIDoBgM
FmNnaGVyY29pYXNhZG1AdHdlYy5jb22BE2Nn
aGVyY29pYXNAdHdlYy5jb20wDQYJKoZIhvcNAQEF
BQADggEBALm3EGcuAZBnu1frie00VAK5/dwL
0EUhqxVvh3o0mi/4gSyplWe/FxyIlNO8+V99bqvDvX/bgPoNRybtCZhaWTSLLxmGWfJXjCxtTYCK
ioO508JfEeyJP1T17WI0Aa50S9MsDfqZP6kMCnkV
sTnUIPSwQErEoRJQvMbUABJVfRRHRU7w5P64
F1ZgWcYDILHeEB6j6tvspwdmfETTMmXK29UQtkVr
DeOg9eF/ITHTqUJfItqXpze6dBakLEj4Cme/
C06Nt8Voxr4Z3GIRCmMruNnNIPwXymyFqdE1NI+b
/3/c9OjGDtCwF69CNlme7LpHeM81sj5FJD+l
i8vJRmvDPN8xggK0MIICsAIBATBgMFIxEzARBgoJ
kiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/Is
ZAEZFgR0d2VjMSUwIwYDVQQDExxUcmFucyBXb3Js
ZCBFbnRlcnRhaW5tZW50IENBAgoXRibQAAAA
AAFyMAkGBSsOAwIaBQCgggGqMBgGCSqGSIb3DQEJ
AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTA0MDkyMjEzMzEzNlowIwYJKoZIhvcNAQkE
MRYEFAI77ULVSi5p5+FNM95J9sIW1czkMGcG
CSqGSIb3DQEJDzFaMFgwCgYIKoZIhvcNAwcwDgYI
KoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsO
AwIaMAoGCCqGSIb3DQIFMG8GCSsGAQQBgjcQ
BDFiMGAwUjETMBEGCgmSJomT8ixkARkWA2NvbTEU
MBIGCgmSJomT8ixkARkWBHR3ZWMxJTAjBgNV
BAMTHFRyYW5zIFdvcmxkIEVudGVydGFpbm1lbnQg
Q0ECChdGJtAAAAAAAXIwcQYLKoZIhvcNAQkQ
AgsxYqBgMFIxEzARBgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZFgR0d2VjMSUwIwYD
VQQDExxUcmFucyBXb3JsZCBFbnRlcnRhaW5tZW50
IENBAgoXRibQAAAAAAFyMA0GCSqGSIb3DQEB
AQUABIGAeT0OtjMEkVJTvBIKc90Vb8b6dKMxmYGG
62L0+ncYRcO/FybV/c0UtfB/Uhw0uxew3HZC
/Rd49Rg12YIGw+/qDtkVJKgfOLHTbQ/+uRAq//t4nR7c1WzIdEfRGcIH+raz/t65gjYvYQYt0ctn
87ZFzRAKf7SL/aOYDxudU9VJBvMAAAAAAAA=
------=_NextPart_000_0000_01C4A086.F4B71EC0--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|