[Snort-devel] last_cid in new database scheme v106

Dirk Geschke Dirk_Geschke at ...802...
Fri Sep 13 13:51:07 EDT 2002

Hi Y. John Jiang,

> 1) I assume event.sid references the primary key sensor.sid.  Does 
> *.cid reference anything?  Is it a pure sequence number (in 
> conjunction with sid) for the event table?

event.sid refers to the sensor, which created the alert
event.cid refers to the alarm generated by envent.sid,
this is a incrementing value labeling the alerts.

So what you need are both value: Which alert was generated
by which sensor. So the primary index is the combination
of both (sid,cid).

Or maybe more precisely:

sid numbers the sensors
cid numbers the alerts for each sensor

So you can have as many cid's with the same number as
you have sid's...

> 2) The name sid confused me at first because the the unique ID for each 
> Snort rule is sid in Snort documents.  Am I right that the latter is 
> signature.sig_sid?

Yeah, this is one of the ugliest thing within the database scheme.

There is a sid like event.sid, sensor.sid: This describes the sensor.

Then you have signature.sig_sid: This is equal to the sig in the rules
of snort.conf

And finally there is signature.sid_id: This is the unique id of each
signature (and most of the time different to sig_sid). If maybe the
revision (sig_rev) changes then the sig_sid will still be the same
but sig_id will get a new number.

This is really confusing, or?

Best regards

| Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |

More information about the Snort-devel mailing list