[Snort-devel] spo_database & fragments
jed at ...7...
Thu Jan 18 16:46:33 EST 2001
On Thu, Jan 18, 2001 at 03:21:03AM -0500, Martin Roesch wrote:
> I'm beginning to think that the DB should include a table to handle
> non-packet alerts, stuff that's part of an aggregate or partial packet
> match (like tiny frags). Thoughts?
Funny... When you were writing your message I was committing a partial
fix for this issue. Right now frags are just logging the ip header and
In order to log the layer 4 stuff there will have to be checks in
place to log only when the data is available. Any idea about the most
efficient way check for this -- is there some more elegant solution
than wrapping every element of the header in an "if()" and appending
to a query string?
Also.. I don't think it makes sense to log frags to another table. If
you want fragments in a separate table for some particular type of
analysis you can just use some SQL like this...
"insert into frags select * from iphdr where ip_off > 0;"
More information about the Snort-devel