[Snort-devel] Composite keys in Snort DB schema
roesch at ...402...
Thu Aug 26 18:33:12 EDT 2004
This would allow us to have unique tracking of each instance per
interface on a multi-interface sensing device. Replacing cards just
means that you have a new map entry to manage. For example:
00:00:00:00:00:01 - Sensor 1, fxp0
00:00:00:00:00:02 - Sensor 1, fxp1
then you replace fxp0 in sensor 1 with a new NIC and change the map
de:ad:be:ef:00:00 - Sensor 1, dl0
Something like that. How often to you switch out sensing interfaces on
your sensors? My assumption was that that doesn't happen too often and
that this was a good way to establish a unique sensor ID for every
instance of Snort running on a device. I guess if we ever get to the
notion of having multi-interface sensing with a single instance then
this wouldn't work so well...
We could just do a simple counter but this lets us relate a machine, a
date and a packet serial number pretty easily which is what I think
we're interested in for doing things like logging packets associated
with events (via tags or whatever). We could also do fun things like
track flow IDs if we were feeling really fancy.
I suppose in a unified file setting we would just put the MAC and the
start time in the file header and then just track the packet serial
number as an incrementing integer and/or have an event counter.
I'm just thinking out loud here, you guys can feel free to tell me this
is worthless or wrong or whatever...
On Aug 26, 2004, at 9:15 PM, Frank Knobbe wrote:
> On Thu, 2004-08-26 at 19:00, Martin Roesch wrote:
>> I'm kicking around adding a "serial number" field to the Packet
>> It would probably look something like:
>> typedef struct _PktSerial
>> u_int8_t collection_mac; /* MAC addr of the interface this packet
>> was collected on */
> Tracking by MAC address? Eeww... How do you handle things when you need
> to replace the sniffing network card? Force the old MAC on the new card
> through software?
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel