[Snort-devel] Snort, ACID and host intrusion detection integration

Jed Pickel jed at ...7...
Thu Nov 2 12:04:17 EST 2000

> You may also want to check out some notes on the future of the DB
> format at http://incident.org/snortdb/
> The two upcoming changes are removing support for IP addresses stored as
> four distinct octets, as well as normalizing the storage of signature in a
> seperate table.

These changes are intended to eliminate storing redundant data. After
they are implemented, the schema should be normalized enough to move
forward. These changes will happen after snort v1.7 goes out.

In the long term, the database schema and XML DTD are moving to be
more generalized. Since they will be used by more than one project I
am working on setting up mailing lists and a web site devoted to this
issue. I will announce here when its ready.

> > 3. Have a look at the XML spec and see if it can support a more general
> > structure, having looked it over this morning it seems to be more
> > network specific than the database structure so I'm not sure.

The database schema and XML DTD should directly map to each other. If
they don't let me know.

Good job with those data model graphics Tom! :) The only thing I see
missing in the most recent one after a quick glance is a one to many
relation between tcphdr and opt.

* Jed

More information about the Snort-devel mailing list