[Snort-users] Efficiency of acid_event

Michael T. Babcock mbabcock at ...7798...
Wed Dec 18 09:04:10 EST 2002


In the table acid_event, since sig_name is the only value that is 
variable sized, would it not make the table much more efficient to use 
an ID reference to another table for the signature name?  Assuming that 
the data from acid_event is used without the sig_name in some or many 
queries (unknown to me; this may invalidate the comment), queries using 
acid_event would be faster (at least on MySQL) if this table were 
entirely fixed-length rows.

CREATE TABLE acid_event_sig_name (
sig_id tinyint unsigned not null auto_increment primary key,
sig_name varchar(255)
);

INSERT INTO acid_event_sig_name (sig_name) SELECT DISTINCT(sig_name) 
from acid_event;

ALTER TABLE acid_event add sig_id tinyint unsigned not null after sig_name;

... just a thought.  Comments?  (I'm not subscribed to the list, so 
please CC me).

-- 
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
http://www.fibrespeed.net/~mbabcock






More information about the Snort-users mailing list