Snort mailing list archives
Question about the database structure - OT?
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 17 Mar 2003 13:18:36 -0600
I'm working on a perl script to archive the mysql database based on a selected timeframe, and I've got a question about the signature table. The first 398 sigs appear to be "static". That is, each signature number refers to a specific signature that corresponds to the "sid:" value that you find in the rules. However, there are another 15,000 signatures that were fed to the database by the spp_portscan2 preprocessor. Each of these sigs is unique and has both a timestamp and a source IP address. This use of mixed data creates a problem when trying to archive. For the static tables (such as reference, sig_class, etc.) I can do the equivalent of a SELECT * INTO OUTFILE 'some_file' FROM 'table' from the active database and then use LOAD DATA to upload the file into the archive database. (This keeps the reference data such as sig_reference, sig_class, etc. "synched" between the two databases.) However, this one table throws that scheme out of wack, because some of the data are static and some are dynamic and tied to specific events. Did I do something wrong in my setup that threw the spp_portscan2 stuff into that table? Or is that by design? Is there a way to exclude writes to the db for portscan data? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about the database structure - OT? Schmehl, Paul L (Mar 17)
- <Possible follow-ups>
- RE: Question about the database structure - OT? Schmehl, Paul L (Mar 17)