Snort mailing list archives
Re: Snort database schema depends on snort's version?
From: roman () danyliw com
Date: Sun, 10 Jun 2001 15:08:31 US/Eastern
The many tables used by snort and ACID are created by scripts in /contrib, and they also define the database schema.
Actually, the /contrib/create_* scripts create the tables which snort will require to store the raw alert information. Any ACID specific meta-information tables are created the first time ACID is started.
How much does this depend on snort's version? Specifically, could I use a 102 schema (which I think is the latest) with snort-1.7 or should I upgrade to some 1.8beta version?
They are very much dependant. While, any tables created by ACID are valid for any version of Snort (i.e. 1.7, 1.8beta*), the same is not true for the base alert tables (those created by the /contrib script). Usually only the script which came in the /contrib directory is valid for that particular version of snort. Thus, schema v102 _cannot_ be used with Snort 1.7. Schema version 102 was introduced in a Snort 1.8beta and is NOT backwards compatible. In order to use a newer schema, an upgrade in Snort is required. All this being said, ACID can detect the schema version of the database and will act accordingly. However, it is important not to mix or selectively add tables from a newer schema version into an older version database. This will result in incorrect version detection. Rather, when a new schema is introduced a new database instance should be created. Then, if migration scripts are available, move the old data over. I hope this clears things up, Roman --------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort database schema depends on snort's version? Andreas Hasenack (Jun 10)
- <Possible follow-ups>
- Re: Snort database schema depends on snort's version? roman (Jun 10)