[Snort-sigs] ACID Response Table Bug

From: King Jr, Charles (Contractor) <King2c(at)scott.disa.mil>
Date: Fri Mar 19 2004 - 12:50:12 EST

I realize this isn't the appropriate list, but it's for the most part the appropriate audience...apologies to those without ACID.

We discovered that the acid_action.inc file is missing an entry in the PurgeAlert function for the response table. This allows the payload response records to build up and diminish ACID's already poor responsiveness. You can remedy this by adding the entry ("response",) to the function. To delete old records, you can do something like:

mysql -u snort;
use acid;
show tables;
desc response;

select max(cid) from events where timestamp < now() interval 3 day; this returns an id for the highest event from three days ago, assuming you've reviewed everything in the last couple of days and are willing to purge old data.

delete from response where cid < xxx;
replace xxx with the cid number you got from the first query.

Chuck King

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Mar 19 13:48:00 2004