前一陣子不知是因為FP還是真的有那麼多攻擊
導致snort的資料庫塞了一堆 OS-WINDOWS Microsoft WINS arbitrary memory modification attempt 有五百多萬筆 XD

rule 是以下這個

alert udp $EXTERNAL_NET any -> $HOME_NET 1027:5000 (msg:"OS-WINDOWS Microsoft WINS arbitrary memory modification attempt"; sid:13826; gid:3; rev:6; classtype:attempted-admin; reference:cve,2008-1451; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-034; metadata: engine shared, soid 3|13826;)

然後整個web畫面就慢的夭壽慢 一直放著沒處理
今天想想來處理

首先先把 acid_event 這個 table 裡有關 OS-WINDOWS Microsoft WINS arbitrary memory modification attempt 的 cid 找出來

select cid from acid_event where sig_name='OS-WINDOWS Microsoft WINS arbitrary memory modification attempt';

然後寫個 shell 到 event table 去全砍了

#!/bin/bash

for i in `cat 123`
do

    echo $i
    mysql -u user -p123456 snort -e"delete from event where cid=$i;"

done

或直接寫個sql 
DELETE FROM tb1 WHERE tb1.a in (SELECT k from tb2);

接下來再 使用之前寫過的清資料的方法

再跑一次