[Snort-devel] [ snort-Patches-592020 ] changes in spo_database.c suggested

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Wed Aug 7 12:40:05 EDT 2002


Which makes me think....  Using a NUMBER field (4-8byte) is a great deal
less space consuming that regional character field (VARCHAR(15?)) that
could take up 30-60 bytes. Not that it matters so much when you're
recording all the info in the DATA table (which, by the way, is broken
for Oracle)...

Speaking of... Anyone willing to give me some help on rewriting the
Oracle part of spo-database?  The current problems relate to the lack of
efficient queries... And maximum data entry allowed in a non-prepared
non-bound-insert.  Oracle will only take 4k characters in a string to be
inserted... Which means about 12-20% of all data inserted is missing
(string too long). 

-----Original Message-----
From: Ian Macdonald [mailto:secsnortdev at ...1490...] 
Sent: Wednesday, August 07, 2002 2:34 PM
To: Kreimendahl, Chad J; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] [ snort-Patches-592020 ] changes in
spo_database.c suggested


Its is also more efficient to do matches based on a numeric number
rather
than strings. So using a numeric number should return queries quicker.

Ian
----- Original Message -----
From: "Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...>
To: <snort-devel at lists.sourceforge.net>
Sent: Wednesday, August 07, 2002 11:50 AM
Subject: RE: [Snort-devel] [ snort-Patches-592020 ] changes in
spo_database.c suggested


>
> I posted a comment on sourceforge, but should probably do it here as
> well:
>
> One of the greatest reasons to insert the data into the DB this way is
> for searching of ranges.  Since the range:
> 172.16.0.0/12 would be extremely dificult to represent in a query to
> return all info from those src or dst IPs... the decimal form is
> preferred:
> 172.16.0.0/12 would be:
> 2886729728 -> 2887778303
>
> so an oracle query such as
> where dst_ip between 2886729728 and 2887778303
> would return the exact information you wanted.  The calculations for
the
> minimum and maximum values is actually very simple...
>
> -----Original Message-----
> From: noreply at ...12... [mailto:noreply at ...12...]
> Sent: Wednesday, August 07, 2002 7:33 AM
> To: noreply at ...12...
> Subject: [Snort-devel] [ snort-Patches-592020 ] changes in
> spo_database.c suggested
>
>
> Patches item #592020, was opened at 2002-08-07 18:03
> You can respond by visiting:
>
https://sourceforge.net/tracker/?func=detail&atid=303357&aid=592020&grou
> p_id=3357
>
> Category: None
> Group: None
> Status: Open
> Resolution: None
> Priority: 5
> Submitted By: Manish Kumar Arya (manish_k_arya)
> Assigned to: Nobody/Anonymous (nobody)
> Summary: changes in spo_database.c suggested
>
> Initial Comment:
> Hello Admins
>                   I have a suggestion for making a change in
> spo_database.c.
>                   while commiting src ip and dst ip in iphdr
> table  it commited network byte order rather
> commiting actul ip address. i hav made changes for
> commiting IP addresses to iphdr table rather
> commiting network byte order.
>
> if u feel i m correct pls accept this change (line no
> 1010 program spo_database.c)
>
> i m sending this changed program with this mail
>
> Manish Arya
> http://www.linuxlabs.biz
>
>
> ----------------------------------------------------------------------
>
> You can respond by visiting:
>
https://sourceforge.net/tracker/?func=detail&atid=303357&aid=592020&grou
> p_id=3357
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>





More information about the Snort-devel mailing list