[Snort-users] Questions/Suggestion: Which data to put in the DB?

Mullen, Patrick Patrick.Mullen at ...24...
Wed Aug 2 14:05:22 EDT 2000


> > | Why split up the ip_src and ip_dst into four different elements?
> 
> You have made some convincing arguments supporting the idea of having
> only one four byte column to represent an IP address. 

<snip>

> My only hesitation is that makes it significantly more difficult for a
> human to interact directly with the database (I actually do most of my
> analysis by interacting manually with the db). 

<snip (see?  It's easy!)>

> If we do make this switch I think it would be a good idea to include
> both the four one byte columns and the one four byte column until the
> 1.7 release so we can transition smoothly.

Simple question/suggestion.  Add a field for the IP address as one
big number and keep the fields for the addresses as four one-byte
numbers.  This way existing scripts aren't broken, it's easy for
humans to interact directly with the database, and the computer
can read the entire address in one huge, easy to process chunk.
Keep it this way forever, rather than just until 1.7.

Slightly higher memory requirements (8 bytes/record), but memory
is cheap.  Just my US$0.02.


~Patrick




More information about the Snort-users mailing list