Delete all previous Alerts

2,945 views
Skip to first unread message

Tim Hofer

unread,
Dec 10, 2015, 3:13:55 PM12/10/15
to security-onion
Hello ,

is there an option to delete all previous alerts of Snort without a completely new setup ?

Thank you,

Tim

Wes

unread,
Dec 10, 2015, 3:43:47 PM12/10/15
to security-onion
Tim,

I imagine you could edit the DAYSTOKEEP variable in /etc/nsm/securityonion.conf (change to "0"), then run sguil-db-purge, but this would delete all events from the Sguil database.

You may be able to do this directly with MySQL (remove just Snort events), however I am not sure.

Thanks,
Wes

Tim Hofer

unread,
Dec 10, 2015, 4:17:34 PM12/10/15
to security-onion

That sounds like a plan... but tell me what do you mean squil-db-puge. Is this an pre build script ? And is the functionality of this combined with the DAYSTOKEEP variable ?

Wes

unread,
Dec 10, 2015, 4:31:10 PM12/10/15
to security-onion
Tim,

I apologize--DAYSTOKEEP should be set to "1"

When you run sguil-db-purge, it purges all the event data in the Sguil database, up to the value defined in DAYSTOKEEP in "/etc/nsm/securityonion.conf".

The DAYSTOKEEP variable indicates how many days worth of data you would like to keep when you run this script.

Please have a look here for reference:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#what-does-it-mean-if-sostat-show-a-high-number-of-sguil-uncategorized-events

Also, ensure you run "sudo nsm_server_ps-stop" before running this.

Thanks,
Wes

Tim Hofer

unread,
Dec 10, 2015, 4:37:04 PM12/10/15
to security-onion

Okay thank you.

But i can't find squil-db-purge. Is there any clue ? (in /usr/bin is no squil-db-purge)

Wes

unread,
Dec 10, 2015, 4:40:37 PM12/10/15
to security-onion

Tim, please make sure you are typing "sudo sguil-db-purge" -- please make sure you use a "g" and not a 'q'.

Thanks,
Wes

Tim Hofer

unread,
Dec 10, 2015, 4:44:37 PM12/10/15
to security-onion
Wes,

that is embarrassing :D:D. I apologize for this mistake. Thank you for this!

Scott Ellis

unread,
Dec 11, 2015, 5:08:41 PM12/11/15
to security-onion
On Thursday, December 10, 2015 at 3:44:37 PM UTC-6, Tim Hofer wrote:
> Wes,
>
> that is embarrassing :D:D. I apologize for this mistake. Thank you for this!

Please let me know if this works for you. I just tried this with no luck, I still have thousands of events.

SELECT COUNT(*) FROM event returns 290,415.
If I add WHERE status=0 I get 8,531 (not sure what the "status" means, exactly...)?
I'd really like to get this down to just the past few hours of events, a lot of these events are lingering from before I started creating rules to exclude them.

Wes

unread,
Dec 11, 2015, 6:06:14 PM12/11/15
to security-onion
Scott,

Did you follow the steps listed here?
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#what-does-it-mean-if-sostat-show-a-high-number-of-sguil-uncategorized-events

Also, did you run the modified sguil-db-purge script you detailed here?
https://groups.google.com/forum/#!topic/security-onion/sKKGZlFDKKk

If so, I would recommend reverting any changes to the sguil-db-purge script and trying the steps above.

In regard to the events, "WHERE status=0" refers to uncategorized events.

Thanks,
Wes

Reply all
Reply to author
Forward
0 new messages