[Snort-devel] spo_database & fragments

Jed Pickel jed at ...7...
Thu Jan 18 16:46:33 EST 2001


On Thu, Jan 18, 2001 at 03:21:03AM -0500, Martin Roesch wrote:
> I'm beginning to think that the DB should include a table to handle
> non-packet alerts, stuff that's part of an aggregate or partial packet
> match (like tiny frags).  Thoughts?

Funny... When you were writing your message I was committing a partial
fix for this issue. Right now frags are just logging the ip header and
ip options.

In order to log the layer 4 stuff there will have to be checks in
place to log only when the data is available. Any idea about the most
efficient way check for this -- is there some more elegant solution
than wrapping every element of the header in an "if()" and appending 
to a query string?

Also.. I don't think it makes sense to log frags to another table. If
you want fragments in a separate table for some particular type of 
analysis you can just use some SQL like this...

   "insert into frags select * from iphdr where ip_off > 0;"

* Jed




More information about the Snort-devel mailing list