Re: Snort database schema depends on snort's version?

[roman () danyliw com]

> The many tables used by snort and ACID are created by
> scripts in /contrib, and they also define the database schema.

Actually, the /contrib/create_* scripts create the tables
which snort will require to store the raw alert information.
Any ACID specific meta-information tables are created the first
time ACID is started.

> How much does this depend on snort's version? 
> Specifically, could I
> use a 102 schema (which I think is the latest) with snort-1.7 or 
> should I upgrade to some 1.8beta version?

They are very much dependant.  While, any tables created by ACID
are valid for any version of Snort (i.e. 1.7, 1.8beta*), the
same is not true for the base alert tables (those created by
the /contrib script).  Usually only the script which came in the 
/contrib directory is valid for that particular version of snort.  
Thus, schema v102 _cannot_ be used with Snort 1.7.  Schema 
version 102 was introduced in a Snort 1.8beta and is NOT 
backwards compatible.  In order to use a newer schema, an 
upgrade in Snort is required.

All this being said, ACID can detect the schema version of the
database and will act accordingly.  However, it is important
not to mix or selectively add tables from a newer schema version
into an older version database.  This will result in incorrect
version detection.  Rather, when a new schema is introduced
a new database instance should be created.  Then, if migration
scripts are available, move the old data over.

I hope this clears things up,
Roman


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users