[Snort-devel] Composite keys in Snort DB schema

Martin Roesch roesch at ...402...
Thu Aug 26 18:33:12 EDT 2004


This would allow us to have unique tracking of each instance per 
interface on a multi-interface sensing device.  Replacing cards just 
means that you have a new map entry to manage.  For example:

00:00:00:00:00:01 - Sensor 1, fxp0
00:00:00:00:00:02 - Sensor 1, fxp1

then you replace fxp0 in sensor 1 with a new NIC and change the map

de:ad:be:ef:00:00 - Sensor 1, dl0

Something like that.  How often to you switch out sensing interfaces on 
your sensors?  My assumption was that that doesn't happen too often and 
that this was a good way to establish a unique sensor ID for every 
instance of Snort running on a device.  I guess if we ever get to the 
notion of having multi-interface sensing with a single instance then 
this wouldn't work so well...

We could just do a simple counter but this lets us relate a machine, a 
date and a packet serial number pretty easily which is what I think 
we're interested in for doing things like logging packets associated 
with events (via tags or whatever).  We could also do fun things like 
track flow IDs if we were feeling really fancy.

I suppose in a unified file setting we would just put the MAC and the 
start time in the file header and then just track the packet serial 
number as an incrementing integer and/or have an event counter.

I'm just thinking out loud here, you guys can feel free to tell me this 
is worthless or wrong or whatever...

      -Marty

On Aug 26, 2004, at 9:15 PM, Frank Knobbe wrote:

> On Thu, 2004-08-26 at 19:00, Martin Roesch wrote:
>> I'm kicking around adding a "serial number" field to the Packet 
>> struct.
>>   It would probably look something like:
>>
>> typedef struct _PktSerial
>> {
>> 	u_int8_t collection_mac[6];	/* MAC addr of the interface this packet
>> was collected on */
>
>
> Tracking by MAC address? Eeww... How do you handle things when you need
> to replace the sniffing network card? Force the old MAC on the new card
> through software?
>
> Regards,
> Frank
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list