[Snort-users] How to create the DB indices with postgresql

Daniel Lang dl at ...6187...
Thu Jun 27 05:15:17 EDT 2002


Hi,

sorry if this is FAQ (it was not answerered in the Snort/ACID FAQ),
geocrawler doesn't seem to support searching the archives, so after
some fruitless search, I dare to ask directly.

"ACID FAQ B-9 PostgreSQL optimizations" suggest to add
indexes to the databases, mentioning fields, that should
have indexes created.

Now I'm not an SQL expert, and I'm not sure how to create these
indexes.

The CREATE INDEX command needs a name for the created index, and
I don't know, if the name needs to be a specific one.

For the first field (event.timestamp) I tried:

 CREATE INDEX event_timestamp ON event (timestamp); 

and such alike for the other fields, but it seemed not
to result in any benefit. Also I got error messages sometimes
regarding a 'unique index' (I did not specify UNIQUE anywhere).

Further some field descriptions from the FAQ are mysterious to me:

(DB schema < v103) iphdr.ip_src0 + iphdr.ip_src1 + iphdr.ip_src2 + iphdr.ip_src3

This seems only to be required if the schema version is below 103?
As far as I can tell, I'm using 105, so I omitted them just.

Also I'm not sure, what is meant by:

acid_ag_alert.ag_sid + acid_ag_alert.ag_cid

The addition of an index or concatenation? How would one
specify that suggestion.

Please clarify if the names of the indexes are important, and
which names to use, and how to create these '+' connected
indexes. 

Thank's a lot.

Best regards,
 Daniel
-- 
IRCnet: Mr-Spock              - Truth lies in the eye of the beholder - 
*Daniel Lang * dl at ...6187... * +49 89 289 25735 * http://www.leo.org/~dl/*




More information about the Snort-users mailing list