[Discussion] not a db schema

Matt Jonkman jonkman at jonkmans.com
Tue Oct 28 16:54:57 UTC 2008 

I wonder if we ought to build several db schema's for different goals.

I'm not a deep-down sql expert (we'll get one involved when we get
here), but I suspect if your goal is different a different schema will
do best.

For instance, if you intend to keep every alert ever generated for
historical comparison you need one schema to keep it snappy. If you
intend to have a smaller number of alerts but a massive number of
sensors inserting frequently then you may need a different structure.

So perhaps we should build several schemas and let you choose at setup.
Then the engine just reads the version tag and inserts in that form.

Any sql guru's that could speak more to this?

Matt

James McQuaid wrote:
> I'm *still* listening... please continue.
> 
> Message: 3
> Frank Knobbe wrote:
>> No, that's a bad idea (at least if you talk about Snort). If you create
>> new/different message texts, Snort will create a new entry in the
>> signature table (unique to msg+gid+sid+rev). Also, you would not get the
>> same text with barnyard or in barnyard (and probably flop) based
>> installs since BY only reports the sid (the msg is pulled from the
>> sid-msg.map file).
> 
> We are not talking snort. This is totally different.
> 
> And we'll definitely not use a db schema with this issue.
> 
> Matt
> 
>> While you could of course fork barnyard, my concern would be the bloat
>> of the signature table due to unique msg texts.
>>
> 
> No forking here, all new.
> 
> Everything from the pattern matcher on up. :)
> 
> Matt
> 
> 
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> 
> 
> --------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Discussion mailing list