<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d14658917\x26blogName\x3dWhat+Would+You+Say+It+Is+You+Do+Here?\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://blog.vitriol.net/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://blog.vitriol.net/\x26vt\x3d-1706885970164302789', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Sunday, April 05, 2009

Adding a snort_archive Database to an Existing Snort/BASE Installation

1. Create snort_archive database and assign permissions to snort user

$ mysql -u root -p
mysql> create database snort_archive;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort_archive.* to snort@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort_archive.* to snort;
mysql> exit

2. Set up tables using schema from snort

$ cd $SNORT_SOURCE_DIRECTORY/schemas
$ mysql -u root -p < create_mysql snort_archive

3. Export existing snort database

$ mysqldump -p snort > snort-backup.sql

4. Import snort database into snort_archive

$ mysql -p snort_archive < snort-backup.sql

5. Modify base_conf.php to enable archive database

archive_exists = 1; # Set this to 1 if you have an archive DB
$archive_dbname = 'snort_archive';
$archive_host = 'localhost';
$archive_port = '';
$archive_user = 'snort';
$archive_password = '$PASSWORD';

6. At BASE home page, select link "Use archive database"
7. Select Total alerts link (the number of total alerts)
8. Select Delete alerts for entire query

1 Comments:

Blogger Aaron said...

Awesome. Aside from removing the CLI prompts, this works as cut and paste. Thanks!

10:19 PM  

Post a Comment

<< Home