[Snort-users] Questions/Suggestion: Which data to put in the DB?

Geoff the UNIX guy galitz at ...247...
Thu Aug 3 22:03:53 EDT 2000


> 
> My only hesitation is that makes it significantly more difficult for a
> human to interact directly with the database (I actually do most of my
> analysis by interacting manually with the db). That being said, should
> we make this switch, I want to be certain that someone is working on
> some some apps to present data and do analysis based on data in the
> database. Anyone? :-)
>

At first, I found the way in which the IP addresses were broken
down to be vaguely annoying.  However, after a few days of coding
and integrating snort into my other databases I found that the way
it is currently broken down to be the right way to go.

In general, I have always believed that data should be gathered
or sampled in the wild and then be broken down as much as possible 
before stashing it in a database.  That way the data can be 
reassembled in ways not seen when the whole application was
designed.

So my vote is to leave things the way they are.
 

BTW, did my perl/SQL code ever make it the list?  I sent
it out the same time the list moved to sourceforge.  

-geoff






More information about the Snort-users mailing list