[Snort-devel] Composite keys in Snort DB schema

Frank Knobbe frank at ...2134...
Thu Aug 26 18:43:01 EDT 2004


On Thu, 2004-08-26 at 20:32, Martin Roesch wrote:
> This would allow us to have unique tracking of each instance per 
> interface on a multi-interface sensing device. 

Wouldn't <IP>-<iface> be sufficient to do that? (as in 1.2.3.4-fxp0)

> How often to you switch out sensing interfaces on 
> your sensors?

No often, granted. But MAC addresses are amongst those things that are
easily forgotten. It just seems to invite errors :)

> I'm just thinking out loud here, you guys can feel free to tell me this 
> is worthless or wrong or whatever...

Understood. Just thinking out loud myself. I think IP address or
hostname in combination with the interface name would be sufficient. If
you replace fxp0 for rl0, you are forced to make that change in the
config file which will hopefully remind one to make that change in other
places (like sensor table in the db). But if you change one fxp0 for
another fxp0, you might quickly dismiss the issue as handled without
going through other configs/tables and changing the MAC address.

Again, just thinking out loud. (been burned by changed MACs before :)

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040826/9aa34c75/attachment.sig>


More information about the Snort-devel mailing list