MySQL and Snort, DB Huge!!

[sec_ware]

Hi

DB's - I love them

backing up

There are two ways how to backup the snort-database:

1. copy all files from mysql/data/snort/ onto a backup-directory.
Basically, each table in the database has one of those frm, MYD and MYI files.
This is, well, when you know what you are doing

2. perform a dump - this may take a while in your case, because those tables
can be very huge. Basically, this dump is a set of SQL-commands to recreate the database.
Note: the database itself is not created. It creates a dump assuming
that you are logged in that particular database.

Code:

 > mysqldump -h localhost -u user_snort snort >snort.sql

If snort is the only database on your mySQL system, you also could perform a complete dump

Code:

 > mysqldump -h localhost -u root  -A >complete.sql

This dump also creates the databases.

restoring (test!)

The idea of the restoration is to reproduce the original database.
Here, I would recommend to create a new database snort_backup (see below).
I assume that you want to restore the original entries, hence I continue
using the database name `snort`.

Code:

  > mysql -u root <complete.sql

or

Code:

  > mysql -u user_snort snort <snort.sql

assuming that the database `snort` exists. Otherwise, add the above
command using "-u root" and add at the beginning of snort.sql

Code:

CREATE DATABASE `snort`;
USE `snort`;

Passwords can be handed over using the "--password=password_root" option

deleting table entries

for each table, you can run the command

Code:

> mysql -u user_snort snort
mysql> delete from table_name

where table_name in a generic snort installation is one of

Code:

  data 
  detail 
  encoding 
  event 
  icmphdr 
  iphdr 
  opt 
  reference 
  reference_system 
  schema 
  sensor 
  sig_class 
  sig_reference 
  signature 
  tcphdr 
  udphdr

/edit: You obtain a list of the tables performing an

Code:

> grep "CREATE TABLE" snort.sql
resp.
> type snort.sql | find "CREATE TABLE"

Usually, one tries to perform transactions, which can be
committed or allow for a rollback[1]. I won't comment on them
here. Have also a read at the disaster recovery page of mysql[2].

Good luck!

Cheers

[1] http://dev.mysql.com/doc/mysql/en/an...nsactions.html
[2] http://dev.mysql.com/doc/mysql/en/di...revention.html