[Snort-devel] spo_database & fragments

Jed Pickel jed at ...7...
Thu Jan 18 17:02:40 EST 2001


On Thu, Jan 18, 2001 at 12:44:55PM -0600, Chris Green wrote:
> suppose "UDP Scan" and src/dst ip, protocol, ports and scantype
> SPADE would have it's own unique table format as well.
> 
> A catchall type table that is a cid / text field would atleast allow
> centralized sql logging from new plugins.
> 
> To have a fancy table type for a plugin, there needs to be a mecahnism
> to know what generated the alert so that the appropriate logic can be
> followed.  

This resurfaces an issue we talked about almost a year ago.. In order
to start logging messages from pre-processors in the database (and
other output plugins), I believe the right solution is for the
preprocessor to pass that info to the output plugins in a structured
format such as some predefined struct -- rather than just a
string. 

I like the idea of a "catchall" table for unstructured data from
plugins. Yet, before we can start using this we need to flag the data
origin currently there is no way to know where data originates from
(from the perspective of an output plugin). Any thoughts on the best
way to accomplish this?

Also, I'd like to start working the the pre-processor authors to
define appropriate database tables / data structs for output from
their plugins so we can start passing around, analyzing, and archiving
this data around more efficiently. Any thoughts from the pre-processor
dudes?

* Jed




More information about the Snort-devel mailing list