[Discussion] not a db schema

Martin Holste mcholste at gmail.com
Wed Oct 29 01:41:17 UTC 2008


I think that schema discussions are extremely premature since we still
haven't decided what we're even recording.

--Martin

On Tue, Oct 28, 2008 at 11:54 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> I wonder if we ought to build several db schema's for different goals.
>
> I'm not a deep-down sql expert (we'll get one involved when we get
> here), but I suspect if your goal is different a different schema will
> do best.
>
> For instance, if you intend to keep every alert ever generated for
> historical comparison you need one schema to keep it snappy. If you
> intend to have a smaller number of alerts but a massive number of
> sensors inserting frequently then you may need a different structure.
>
> So perhaps we should build several schemas and let you choose at setup.
> Then the engine just reads the version tag and inserts in that form.
>
> Any sql guru's that could speak more to this?
>
> Matt
>
> James McQuaid wrote:
> > I'm *still* listening... please continue.
> >
> > Message: 3
> > Frank Knobbe wrote:
> >> No, that's a bad idea (at least if you talk about Snort). If you create
> >> new/different message texts, Snort will create a new entry in the
> >> signature table (unique to msg+gid+sid+rev). Also, you would not get the
> >> same text with barnyard or in barnyard (and probably flop) based
> >> installs since BY only reports the sid (the msg is pulled from the
> >> sid-msg.map file).
> >
> > We are not talking snort. This is totally different.
> >
> > And we'll definitely not use a db schema with this issue.
> >
> > Matt
> >
> >> While you could of course fork barnyard, my concern would be the bloat
> >> of the signature table due to unique msg texts.
> >>
> >
> > No forking here, all new.
> >
> > Everything from the pattern matcher on up. :)
> >
> > Matt
> >
> >
> > --
> > --------------------------------------------
> > Matthew Jonkman
> > Emerging Threats
> > Phone 765-429-0398
> > Fax 312-264-0205
> > http://www.emergingthreats.net
> >
> >
> > --------------------------------------------
> >
> > PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >
> >
> >
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081028/af3e10c8/attachment-0002.html>


More information about the Discussion mailing list