[P]Delete

Preface The purpose of this post is to provide guidance to Snort users who would like to try out Snort 2.9.7.0 and the OpenAppID features that it comes with. It is not intended to guide the reader through setting up Snort from scratch, there are plenty of docs on how to set up Snort at  http://www.snort.org/docs. Snort Before we can download the latest Snort source code and compile it, we have a new prerequisite to fulfill before we can compile Snort. You'll need to install  Luajit , which is used to define application detectors with the new OpenAppID. Step #1, Prep the system. You’ll need to download the following files from  snort.org download page : *   daq-xxx.tar.gz *   snort-2.9.7.0_xxx.tar.gz *   snort-openappid-detectors.xxx.tgz *   snortrules-snapshot-xxx.tar.gz Step #2, Install Snort requirements On my Ubuntu system this was as easy as the following command. #   sudo apt-get install openssl libssl-dev build-essential g++ flex bison ...

I have marked the steps with <<#>> in the block below, so the are not a part of the command. You need root permissions, so do a "sudo sh" if you are not root. <<1>> Look at the filesystem, it is 6G <<2>> Look at the disk and the partition, the disk is 21.5 GB but the partition is 6 GB (6291456 blocks) <<3>> Start fdisk for that disk (xvda, so not the partition xvda1) <<4>> Switch to sector display. <<5>> Print the partition(s), and remember the start sector (2048 in the example). <<6>> Delete the partition. <<7>> Create a new partition. <<8>> Make it primary. <<9>> First partition. <<10>> Enter the old start sector, do NOT make any typo here!!! (2048 in the example)  <<11>> Hit enter to accept the default (this is the remainder of the disk) <<12>> Print the changes and make sure the start sector is ok, if not restart at ...

In this guide will be explained how to work with Suricata in layer3 inline mode and how to set iptables for that purpose. First start with compiling Suricata with NFQ support. For instructions see  Ubuntu Installation . For more information about NFQ and iptables, see  suricata.yaml . To check if you have NFQ enabled in your Suricata, enter the following command: suricata --build-info and examine if you have NFQ between the features. To run suricata with the NFQ mode, you have to make use of the -q option. This option tells Suricata which of the queue numbers it should use. sudo suricata -c /etc/suricata/suricata.yaml -q 0 Iptables configuration First of all it is important to know which traffic you would like to send to Suricata. Traffic that passes your computer or traffic that is generated by your computer. If Suricata is running on a gateway and is meant to protect the computers behind that gateway you are dealing with the first scenario:  forward_i...

Step #1, Prep the system. You’ll need to download the following files from snort.org daq-2.0.2.tar.gz snort-2.9.7.0_alpha.tar.gz snort-openappid-detectors.2014-02-22.187-0.tgz snortrules-snapshot-2960.tar.gz You’ll find the first three files in the downloads section  https://www.snort.org/downloads , and the last file in the rules section  http://www.snort.org/snort-rules/ . The exact rules files available will change over time, just make sure you get one that is compatible with Snort 2.9.x release. Start with a clean installation of Ubuntu 13.10 Server. The only task selected for the system to be used at during installation was an SSH Server. The files were downloaded into a directory called build. mkdir ~/build cd ~/build Step #2, Install Snort requirements The following packages were added to the system via apt. apt-get install openssl libssl-dev build-essential g++ flex bison zlib1g-dev autoconf libtool libpcap-dev libpcre3-dev libdumbnet-dev build-essential Libdnet-1...

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the...