[Snort-devel] Composite keys in Snort DB schema

Stephen Donnelly stephen at ...1784...
Thu Aug 26 22:05:54 EDT 2004


Snort might be used on interfaces that don't have 6 byte MAC addresses, or 
don't have MAC addresses at all? PPP for instance, POS, ATM...

Also the capture interface may not have an IP address assigned, if it is 
passively capturing packets (e.g. optical splitters etc).

Just some thoughts.

Stephen.

Martin Roesch wrote:
> I'm kicking around adding a "serial number" field to the Packet struct. 
>  It would probably look something like:
> 
> typedef struct _PktSerial
> {
>     u_int8_t collection_mac[6];    /* MAC addr of the interface this 
> packet was collected on */
>      time_t sensor_start_time;        /* time at the point this instance 
> of Snort started */
>     u_int32_t    number;            /* packet number for this run */
> } PktSerial;
> 
> This would allow us to track a unique instance of Snort pretty easily 
> (at least for the next 32 years) and do  simple mac->sensor ID mappings 
> in any data analysis interface.  A u_int32_t might not be big enough for 
> long running instances of Snort but I'm loathe to use something that 
> won't fit into a register on an x86 for something that gets touched on 
> every packet.  I guess I could have another u_int32_t as a series index 
> as well and just rotate that every time PktSerial.number wraps...
> 
> Maybe do a 'typedef BIGINT u_int32_t' and let people redefine it as 
> 64-bit for their machines or something...
> 
>       -Marty
> 
> On Aug 19, 2004, at 11:01 AM, Christian Robottom Reis wrote:
> 
>>
>> Hello there,
>>
>>     I've been taking a look at Snort's DB schema (using the recently
>> updated diagram Chris provided) and a question has popped up. Is there a
>> reason why we use a composite key (cid and sid) for the tables beyond
>> wanting to have sequential cids for each sensor? It seems it complicates
>> things somewhat since we need to spread out these keys over all the
>> tables in the event-specific snort tables.
>>
>> Wouldn't it be simpler -- white still fully functional -- to have a
>> single globally unique sequential event ID?
>>
>> Take care,
>> -- 
>> Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 3361 2331
>>
>>
>> -------------------------------------------------------
>> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>


-- 
-----------------------------------------------------------------------
     Stephen Donnelly BCMS PhD           email: sfd at ...1784...
     Endace Technology Ltd   	        phone: +64 7 839 0540
     Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------




More information about the Snort-devel mailing list