I think that schema discussions are extremely premature since we still haven't decided what we're even recording.<br><br>--Martin<br><br><div class="gmail_quote">On Tue, Oct 28, 2008 at 11:54 AM, Matt Jonkman <span dir="ltr"><<a href="mailto:jonkman@jonkmans.com">jonkman@jonkmans.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I wonder if we ought to build several db schema's for different goals.<br>
<br>
I'm not a deep-down sql expert (we'll get one involved when we get<br>
here), but I suspect if your goal is different a different schema will<br>
do best.<br>
<br>
For instance, if you intend to keep every alert ever generated for<br>
historical comparison you need one schema to keep it snappy. If you<br>
intend to have a smaller number of alerts but a massive number of<br>
sensors inserting frequently then you may need a different structure.<br>
<br>
So perhaps we should build several schemas and let you choose at setup.<br>
Then the engine just reads the version tag and inserts in that form.<br>
<br>
Any sql guru's that could speak more to this?<br>
<font color="#888888"><br>
Matt<br>
</font><div><div></div><div class="Wj3C7c"><br>
James McQuaid wrote:<br>
> I'm *still* listening... please continue.<br>
><br>
> Message: 3<br>
> Frank Knobbe wrote:<br>
>> No, that's a bad idea (at least if you talk about Snort). If you create<br>
>> new/different message texts, Snort will create a new entry in the<br>
>> signature table (unique to msg+gid+sid+rev). Also, you would not get the<br>
>> same text with barnyard or in barnyard (and probably flop) based<br>
>> installs since BY only reports the sid (the msg is pulled from the<br>
>> sid-msg.map file).<br>
><br>
> We are not talking snort. This is totally different.<br>
><br>
> And we'll definitely not use a db schema with this issue.<br>
><br>
> Matt<br>
><br>
>> While you could of course fork barnyard, my concern would be the bloat<br>
>> of the signature table due to unique msg texts.<br>
>><br>
><br>
> No forking here, all new.<br>
><br>
> Everything from the pattern matcher on up. :)<br>
><br>
> Matt<br>
><br>
><br>
> --<br>
> --------------------------------------------<br>
> Matthew Jonkman<br>
> Emerging Threats<br>
> Phone 765-429-0398<br>
> Fax 312-264-0205<br>
> <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
><br>
><br>
> --------------------------------------------<br>
><br>
> PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br>
><br>
><br>
><br>
><br>
><br>
<br>
--<br>
--------------------------------------------<br>
Matthew Jonkman<br>
Emerging Threats<br>
Phone 765-429-0398<br>
Fax 312-264-0205<br>
<a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
--------------------------------------------<br>
<br>
PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br>
<br>
<br>
</div></div><div><div></div><div class="Wj3C7c">_______________________________________________<br>
Discussion mailing list<br>
<a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
</div></div></blockquote></div><br>