[Snort-devel] last_cid in new database scheme v106

ian.willis at ...1523... ian.willis at ...1523...
Fri Sep 13 19:09:03 EDT 2002

Some possible problems that relate to making optimisation such as you 

1 Some of the optimisations that you are making are not universal 
solutions, they are database dependant. I believe that Oracle properly 
configured doesn't have any real gains from some of the changes that you 
believe will speed up queries. 
2 Proper indexing should reduce query time by log(n) unless a complete 
table scan is needed.
3 I have worked in oraganisation where we have denormalized data 
structures to gain performance only to have the very changes that we made 
with the best intentions restricting future innovations, our crystal ball 
tended to be very clouded.
4 When doing bulk loads from files the integrity checking that the 
database normally does may not apply, again this is implementation 

I would love to see a different database structure, as long as we keep the
existing spo for compatibility. For databases that support views it would
also be possible to build one that maps back to the original db design.

Based on my exprience build large dataload systems we should think think
about a couple things.

What would the goals for a new database structure be?
Improve logging speed,
Improve ability to pull out records quicker from db the front end,
Move rule sets and snort configs to the database rather than text files.?

More information about the Snort-devel mailing list