[Snort-devel] what info does snort log to database for port scans?

Michael Boman michael.boman at ...2499...
Sat Aug 27 20:56:17 EDT 2005


On 8/28/05, Russell Fulton <r.fulton at ...1343...> wrote:
> What I would like to do is add and sql 'plugin' to the program which logs the scans direct
> to the snort database.
> 
> Are there any docs that describe what I need to do or will I have to reverse engineer it?

Unfortunately there is no "Snort" way to store the port scans in the
database, that's why SGUIL (www.sguil.net) have their own table for
it. IMHO the standard snort DB layout sucks in terms of performance
and SGUIL fixed it by disregarding "how a DB should be built" from the
academia and just aimed at "how do I get this DB perform faster" from
real-life perspective. Why should you need to join 3-4 tables just to
get the latest alerts shown to you is beyond me.

Best regards
  Michael Boman
-- 
IT Security Researcher & Developer
http://proxy.11a.nu




More information about the Snort-devel mailing list