[Snort-users] Questions/Suggestion: Which data to put in the DB?

Jed Pickel jed at ...153...
Fri Aug 4 15:58:45 EDT 2000


> | However, after a few days of coding and integrating snort into my
> | other databases I found that the way it is currently broken down to be
> | the right way to go.
> 
> There might be advantages I don't see with the way it's currently done
> (beside the fact that it's more human friendly).

Thanks to all who have responded to this thread so far. There have
been some good comments supporting both sides. I have talked with a
number of people this week on the phone and at the IETF meetings about
this topic. I am getting the sense that there is no standard (or
should I say best practice) way to represent an IP address in a
database. If someone out there knows different let me know. :) As we
have seen in our discussions there are good reasons to choose either
four one byte fields or one four byte field.

There were a couple suggestions to just include both
representations. I do not believe this is the right solution as it is
a good practice with databases to avoid replicated data.

At this point I think there needs to be some more discussion. In
particular I believe that Mike brings up some good discussion points
below.  

Mike Anderson wrote..
> Since both your and mine argument is from the coding angle (you have
> written some, I'm still on the drawing table), I would very much like to
> here more arguments about the advantages of this way to do it. :)
> 
> >From my point of view, the current way will make the SQL queries, and
> the generation of those, more complex (since you have to rely on four
> rows, instead of one).  Again, I would like to point to the
> subnet-example I used in an earlier message.

Does anyone have some example code that can SELECT using an arbitrary
subnet using the current snortdb? I could write some but I just don't
have time at the moment.

Anyway, I do intend to respond to individual questions brought up in
previous emails for these discussions; nevertheless, I have to leave
real soon and will be away from the Internet for the weekend so I can
not answer them today.

* Jed




More information about the Snort-users mailing list