snort 作为service的脚本在snort网站上有,它使用了/etc/sysconfig/snort这个文件来初始化一些参数。好像我这里这个文件没有设x属性也没问题。 设置的是snort运行的user group interface等参数。脚本网站上都可以找到。
unified2应该是现在版本唯一支持的格式了,unified 已经不支持。
清空数据库的方法,从别的地方搜来的:
use snort;
DELETE FROM event WHERE timestamp < DATE_SUB(NOW(),INTERVAL 28 DAY);
DELETE FROM data USING data LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM iphdr USING iphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM icmphdr USING icmphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM tcphdr USING tcphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM udphdr USING udphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM opt USING opt LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM acid_event USING acid_event LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM ag USING acid_ag_alert AS ag LEFT OUTER JOIN event AS e ON ag.ag_sid=e.sid AND ag.ag_cid=e.cid WHERE e.sid IS NULL;
OPTIMIZE TABLE event, data, iphdr, icmphdr, tcphdr, udphdr, opt, acid_event, acid_ag_alert;
但是acid_event和acid_ag_alert表在新版的snort里面好像没有了。 估计是只要清空前面的几个表就行了。
转载于:https://blog.51cto.com/caozs/800401
1313
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
