[Snort-devel] last_cid in new database scheme v106

Dirk Geschke Dirk_Geschke at ...802...
Fri Sep 13 13:51:07 EDT 2002


Hi Chad,

> I'm in the process of trying to write a new database plugin
> (database2?), that will use this new strucutre, as well as provide more
> efficient means of insert/update/select statements.  The use of prepared
> statements with bound placeholders will prevent the rebuilding of query
> strings, and in the vast majority of databases, increase response
> times... While only staying the same in others.

yes that would be a good thing to do. But first of all we need
a new design of the database. Without this a new plugin does not
make too much sense (ok, it could be coded nicer and some of my
previous ideas of pre-inserting of the rules could be performed).

On the other hand, with a new design we have to ensure that all
the available tools like ACID (and I guess there are a lot of 
similar tools out there) are running with this new desgin.

So if this concept should not end in a dead project we have
to involve a lot of people. Otherwise you will be the only
user and this is disappointing and discouraging.

> it was a positive.  This makes a large number of alerts pointless since
> they are often overflows that are greater than the max length allowed in
> a query string.  Placeholders/bound vars fix this.

What is the maximum query length on oracle? Maybe you should set
the constant in src/output-plugins/spo_database.c

#define MAX_QUERY_LENGTH 8192

to the right value?

Best regards

Dirk



-- 
+------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |
+------------------------------------------------------------+






More information about the Snort-devel mailing list