[Snort-users] Snort database schema depends on snort's version?

roman at ...438... roman at ...438...
Sun Jun 10 15:08:31 EDT 2001


> The many tables used by snort and ACID are created by
> scripts in /contrib, and they also define the database schema.

Actually, the /contrib/create_* scripts create the tables
which snort will require to store the raw alert information.
Any ACID specific meta-information tables are created the first
time ACID is started.

> How much does this depend on snort's version? 
> Specifically, could I
> use a 102 schema (which I think is the latest) with snort-1.7 or 
> should I upgrade to some 1.8beta version?

They are very much dependant.  While, any tables created by ACID
are valid for any version of Snort (i.e. 1.7, 1.8beta*), the
same is not true for the base alert tables (those created by
the /contrib script).  Usually only the script which came in the 
/contrib directory is valid for that particular version of snort.  
Thus, schema v102 _cannot_ be used with Snort 1.7.  Schema 
version 102 was introduced in a Snort 1.8beta and is NOT 
backwards compatible.  In order to use a newer schema, an 
upgrade in Snort is required.

All this being said, ACID can detect the schema version of the
database and will act accordingly.  However, it is important
not to mix or selectively add tables from a newer schema version
into an older version database.  This will result in incorrect
version detection.  Rather, when a new schema is introduced
a new database instance should be created.  Then, if migration
scripts are available, move the old data over.

I hope this clears things up,
Roman


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list