[Snort-users] SnortDB schema vs. Snort XML schema.

patrick.n.fitzgerald.1 pfitzge1 at ...301...
Mon Jun 11 10:30:45 EDT 2001


Hello all,

I've noticed that the two data models (snortDB and Snort XML) are not
compatible, at least according to the most recent (release)
documentations. Also, I've noticed that the XML output by snort is not
valid according to the DTD at http://www.cert.org/DTD/snml-1.0.dtd
(contains "option" element which is not listed in DTD) , and
that the DTD itself looks a little bit strange (it has a duplicate
ELEMENT? I thought this was against the spec...)
The project I'm working on (CERIAS IRDB
https://www.cerias.purdue.edu/irdb/ ) is trying to support snort, but we
would really like to avoid reinventing as many wheels as possible. There
are security concerns within our organization (and hopefully many others)
with respect to giving just anyone access to the DB server, so we are
trying to implement a module in our database to receive XML formatted
alerts from snort via https into the database, where both our DB and
the ACID package will be able to make use of the data.

Are there any plans to make the two data models more similar or at the
very least more self-consistent soon? I could probably kludge something
together to make one schema fit inside the other, but if this work is
already being done elsewhere I would rather not duplicate the effort.

Any information you can give will be appreciated.

Thanks,
Patrick Fitzgerald
CERIAS IRDB Project

--
"BUGS
     Flood pinging the broadcast address is not recommended." -- ping(1)





More information about the Snort-users mailing list