There's talk I hear often about the database writes taking too much
overhead... but I've yet to experience it.

and beyond that...

I've redesigned the structure for writing performance purposes, but only
from the perspective of Oracle.   This involves the merging of some
tables (such as all the iphdr related ones (tcp/udp/icmp)...).  This
makes queries which typically join 6 tables only have to join 3.   Also,
inserts using sequences aren't vulnerable to things such as colliding
snorts... (like when there are two snorts with the same config running
on the same interface).   Though that does mean you'll end up with
double the data, it does prevent the errors associated with holding the
counter in the application.   I've also found that taking it down to one
single event_id and using that to link everything prevents massive I/O
in oracle in relation to full table scans when doing large-ass queries.

Though I know that the merger of all the iphdr tables together goes
against it, the rest of this is basic database design...   If you or
anyone else can provide some time to me, I'd like to get this new design
pushed out, along with the output modules. 

Hello there,

    I've been taking a look at Snort's DB schema (using the recently
updated diagram Chris provided) and a question has popped up. Is there a
reason why we use a composite key (cid and sid) for the tables beyond
wanting to have sequential cids for each sensor? It seems it complicates
things somewhat since we need to spread out these keys over all the
tables in the event-specific snort tables. 

Wouldn't it be simpler -- white still fully functional -- to have a
single globally unique sequential event ID?

