[Snort-users] Base Barnyard and Unified Logs

Dirk Geschke Dirk_Geschke at ...1344...
Wed Mar 30 07:26:36 EST 2005


Hi Wes,

> err not CID, sorry didn't have the table in front of me.. the sig_id.
> 
> I realize that all the other tables are involved with the sig_id
> (obviously) hense the plugin re-write. Theoretically the SIG_SID and
> SIG_ID are the same, just diff values. Again, this is dealing with the
> SIGNATURE TABLE, everything now seems to rely on the SIG_ID instead of
> the SIG_SID, that was my whole point. So instead of auto-incrementing
> the SIG_ID in the table, make it equal to the SIG_ID upon insertion
> until we can safely get rid of it.

once more: Even this view is not correct at all...

The SIG_ID and SIG_SID are not the same. The big difference is that
you may have the same signature ID with different revisions. Hence
the keyword "rev". But you also get a new SIG_ID if you change the
classification and more worse the priority.

If you use several snort sensors it may be a good idea to use even
several priorities. A web attack in front of a mail server would
get a minor priority than against a webserver.

So, there is a good reason for this. And I don't think that this
design is the bottleneck of the database.

This is more the combination of the sensor ID and the counter per
sensor, hence the SID/CID pair.

Best regards

Dirk





More information about the Snort-users mailing list