[Snort-devel] DDL for snort rules in a DB

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Thu Sep 19 09:50:05 EDT 2002


It's been mentioned a few times very recently, and so our company would
like to contribute a bit of data structure to the snort project.

We've been using this structure (with other tables), to generate rules
files for our different sensors.  The header part of it all is fairly
unsophisticated, and the rules parts should be sufficient.  We'd love to
offer our services to make snort load its config from a DB.

The tables are:

RULES
 Contains all required bits of information, and similar items that may
appear only once.

RULE_FLAGS
 Contains all rule flags (but for msg: sid: rev: priority: class:)
ordered by their entry.

RULE_GROUP
 Extra table that contains a list of groups (similar to the files out
there now (web-misc.rules...)) that associate to a rule. This should
allow for people to create management tools that are familiar to the
environment they use today (vi anyone?).

SENSOR_CONFIG
 Contains the header information for the sensor config (preprocessors
and such).  Is currently just large text field, but would like it to be
something better.

VARS
 Contains a list of the variables used in config.

SENSOR_VARS
 Contains a list of variables to be changed in config (overwrites global
vars).

POLICY
 Contains basic policy information

POLICY_RULES
 Links rules into a policy... So that a policy containing a set of
common rules may be applied across multiple sensors... While still
allowing the sensors to have their own variables and such.

SENSOR_POLICY
 links a sensor to a Policy (set of rules).




-------------- next part --------------
A non-text attachment was scrubbed...
Name: config-in-db_oracle.sql
Type: application/octet-stream
Size: 3805 bytes
Desc: config-in-db_oracle.sql
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020919/f36b3d2f/attachment.obj>


More information about the Snort-devel mailing list