[Snort-devel] Composite keys in Snort DB schema
roesch at ...402...
Thu Aug 26 17:01:13 EDT 2004
I'm kicking around adding a "serial number" field to the Packet struct.
It would probably look something like:
typedef struct _PktSerial
u_int8_t collection_mac; /* MAC addr of the interface this packet
was collected on */
time_t sensor_start_time; /* time at the point this instance of
Snort started */
u_int32_t number; /* packet number for this run */
This would allow us to track a unique instance of Snort pretty easily
(at least for the next 32 years) and do simple mac->sensor ID mappings
in any data analysis interface. A u_int32_t might not be big enough
for long running instances of Snort but I'm loathe to use something
that won't fit into a register on an x86 for something that gets
touched on every packet. I guess I could have another u_int32_t as a
series index as well and just rotate that every time PktSerial.number
Maybe do a 'typedef BIGINT u_int32_t' and let people redefine it as
64-bit for their machines or something...
On Aug 19, 2004, at 11:01 AM, Christian Robottom Reis wrote:
> Hello there,
> I've been taking a look at Snort's DB schema (using the recently
> updated diagram Chris provided) and a question has popped up. Is there
> reason why we use a composite key (cid and sid) for the tables beyond
> wanting to have sequential cids for each sensor? It seems it
> things somewhat since we need to spread out these keys over all the
> tables in the event-specific snort tables.
> Wouldn't it be simpler -- white still fully functional -- to have a
> single globally unique sequential event ID?
> Take care,
> Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 3361
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Enterprise-class Snort-based IDS Infrastructure
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel