Thread: [Secureideas-base-devel] Db Architecture
Brought to you by:
secureideas,
sinukas
From: Axton G. <axt...@gm...> - 2006-08-23 03:23:02
|
Some updates. After toying with partitioning in mysql, it's not as mature as similar features in oracle and does not offer the same benefits (mainly parallelism). With this said, the fastest model was via the use of a normalized model. Here are the other ideas I've been bouncing around in my head: Changes: * removed last_cid from sensor table * added sig_class.sig_class_priority * added sig_class.sig_class_desc * removed signature.sig_priority; this is a copy if sig_class * new tables * created a rule table to store rule information * this is valuable for reference * signature * stores sid-msg.map data for reference * generator * Snort Generator Ids (preprocessor) * generator_tag * subcategorization of the preprocessors * use db triggers to capture aggregate data for large datasets * capture event count per * sig_class * signature * sensor * tcp/udp/icmp packets * create a series of views to access common sets of data * renamed `schema` to control, since schema is a reserved word in sql * incorporation of newer database features: * fk constraints * removal of duplicate data (normalization) After reading through the snort and base sources, it seems the largest missing component in the db logging output is the snort specific data. After seeing what is out there (preprocessors, signature info, etc.), it seems that if this information were logged in tandem with the alert data, a tool (like base) could use this db to provide a front end that could easily be used to tune snort. For example, if when viewing an alert, you could see which preprocessor and rule were used to trigger that alert, it would be very useful in understanding why that alert was triggered. But I'm just a novice at this, so let me know what you think. So you have an idea of what I'm thinking, this is the current model. It is not yet functional and probably won't even run. Still lots of work left, but it's where I'm headed. Axton Grams --------------------------------------------------------------------- -- Revision: 1.1 -- -- Description: This is a redesign of the snortdb schema that -- contains some simplifications, incorporations of newer database -- features, -- * incorporate fk constraints -- * removal of duplicate data (more normalized) -- -- Compatability: MySQL 4.0+ -- -- Updates -- * removed last_cid from sensor table -- * added sig_class.sig_class_priority -- * added sig_class.sig_class_desc -- * removed signature.sig_priority; this is a copy if sig_class -- * new tables -- * created a rule table to store rule information -- * this is valuable for reference -- * signature -- * stores sid-msg.map data for reference -- * generators -- * Snort Generator Ids -- * use db triggers to capture aggregate data for large datasets -- * created a series of views to access common sets of data -- * renamed `schema` to control, since schema is a reserved word --------------------------------------------------------------------- -- CONTROL TABLES -- Stores the schema version -- version the version of the current schema -- ctime time the schema was crated or last updated CREATE TABLE control ( schema_v INT UNSIGNED NOT NULL, ctime DATETIME NOT NULL) ENGINE=InnoDB; --------------------------------------------------------------------- -- EVENT AND RELATED TABLES -- specifies a data encoding type (hex, base64, or ascii) used by the snort -- sensors -- encoding_type primary key, enumeration of encoding type see -- spo_database.c -- encoding_text text representation of the encoding_type enumeration CREATE TABLE encoding ( encoding_type TINYINT UNSIGNED NOT NULL, encoding_text TEXT NOT NULL, PRIMARY KEY (encoding_type) ENGINE=InnoDB; -- for the database output plugin, the level of data to store (full or fast) -- detail_type primary key, enumeration of detail type see spo_database.c -- detail_text text representation of the detail_type enumeration CREATE TABLE detail ( detail_type TINYINT UNSIGNED NOT NULL, detail_text TEXT NOT NULL, PRIMARY KEY (detail_type)) ENGINE=InnoDB; -- stores a list of all snort sensors that have logged to this database -- sid pk: sensor id -- hostname hostname/ip of the sensor -- filter ignore_bpf -- detail_type fk: detail.detail_type -- encoding_type fk: encoding.encoding_type CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT, hostname TEXT, interface TEXT, filter TEXT, detail_type TINYINT, encoding_type TINYINT, PRIMARY KEY (sid), FOREIGN KEY (encoding_type) REFERENCES encoding(encoding_type) ON UPDATE CASCADE ON DELETE CASCADE), FOREIGN KEY (detail_type) REFERENCES detail(detail_type) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- signature classifications -- sig_class_id pk: sequence -- sig_class_name -- sig_class_priority -- sig_class_desc CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL AUTO_INCREMENT, sig_class_name VARCHAR(60) NOT NULL, sig_class_priority INT NOT NULL, sig_class_desc VARCHAR(60) NOT NULL, PRIMARY KEY (sig_class_id)) ENGINE=InnoDB; -- the listing of preprocessors available in snort CREATE TABLE generator ( gen_id INT UNSIGNED NOT NULL, gen_name VARCHAR(60) NOT NULL, gen_desc VARCHAR(60) NOT NULL, PRIMARY KEY (gen_id)) ENGINE=InnoDB; -- the subcategorization of the preprocessor used to capture the event CREATE TABLE generator_tag ( gentag_id INT UNSIGNED NOT NULL, gentag_name VARCHAR(60) NOT NULL, gen_id INT UNSIGNED NOT NULL, PRIMARY KEY (gen_id), FOREIGN KEY (encoding_type) REFERENCES generator(gen_id) ON UPDATE CASCADE ON DELETE CASCADE)) ENGINE=InnoDB; -- signature signature -- sig_id pk: sequence -- sig_name -- sig_class_id -- sig_rev -- sig_sid -- sig_gid CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT, sig_name VARCHAR(255) NOT NULL, sig_class_id INT UNSIGNED NOT NULL, sig_rev INT UNSIGNED, sig_sid INT UNSIGNED, sig_gid INT UNSIGNED, PRIMARY KEY (sig_id), FOREIGN KEY (sig_class_id) REFERENCES sig_class(sig_class_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; CREATE TABLE event ( eid INT UNSIGNED NOT NULL AUTO_INCREMENT, sid INT UNSIGNED NOT NULL, sig_id INT UNSIGNED NOT NULL, timestamp DATETIME NOT NULL, PRIMARY KEY (eid), FOREIGN KEY (sid) REFERENCES sensor(sid) ON UPDATE CASCADE ON DELETE RESTRICT, FOREIGN KEY (sig_id) REFERENCES signature(sig_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; CREATE TABLE data ( did INT UNSIGNED NOT NULL AUTO_INCREMENT, sid INT UNSIGNED NOT NULL, eid INT UNSIGNED NOT NULL, data_payload TEXT, PRIMARY KEY (did), FOREIGN KEY (sid) REFERENCES sensor(sid) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (eid) REFERENCES event(eid) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; CREATE TABLE iphdr ( iphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, sid INT UNSIGNED NOT NULL, eid INT UNSIGNED NOT NULL, ip_src INT UNSIGNED NOT NULL, ip_dst INT UNSIGNED NOT NULL, ip_ver TINYINT UNSIGNED, ip_hlen TINYINT UNSIGNED, ip_tos TINYINT UNSIGNED, ip_len SMALLINT UNSIGNED, ip_id SMALLINT UNSIGNED, ip_flags TINYINT UNSIGNED, ip_off SMALLINT UNSIGNED, ip_ttl TINYINT UNSIGNED, ip_proto TINYINT UNSIGNED NOT NULL, ip_csum SMALLINT UNSIGNED, PRIMARY KEY (iphdrid), FOREIGN KEY (sid) REFERENCES sensor(sid) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (eid) REFERENCES event(eid) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; CREATE TABLE tcphdr ( tcphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, sid INT UNSIGNED NOT NULL, eid INT UNSIGNED NOT NULL, tcp_sport SMALLINT UNSIGNED NOT NULL, tcp_dport SMALLINT UNSIGNED NOT NULL, tcp_seq INT UNSIGNED, tcp_ack INT UNSIGNED, tcp_off TINYINT UNSIGNED, tcp_res TINYINT UNSIGNED, tcp_flags TINYINT UNSIGNED NOT NULL, tcp_win SMALLINT UNSIGNED, tcp_csum SMALLINT UNSIGNED, tcp_urp SMALLINT UNSIGNED, PRIMARY KEY (tcphdrid), FOREIGN KEY (sid) REFERENCES sensor(sid) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (eid) REFERENCES event(eid) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; CREATE TABLE udphdr ( udphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, sid INT UNSIGNED NOT NULL, eid INT UNSIGNED NOT NULL, udp_sport SMALLINT UNSIGNED NOT NULL, udp_dport SMALLINT UNSIGNED NOT NULL, udp_len SMALLINT UNSIGNED, udp_csum SMALLINT UNSIGNED, PRIMARY KEY (udphdrid), FOREIGN KEY (sid) REFERENCES sensor(sid) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (eid) REFERENCES event(eid) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; CREATE TABLE icmphdr ( icmphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, sid INT UNSIGNED NOT NULL, eid INT UNSIGNED NOT NULL, icmp_type TINYINT UNSIGNED NOT NULL, icmp_code TINYINT UNSIGNED NOT NULL, icmp_csum SMALLINT UNSIGNED, icmp_id SMALLINT UNSIGNED, icmp_seq SMALLINT UNSIGNED, PRIMARY KEY (icmphdrid), FOREIGN KEY (sid) REFERENCES sensor(sid) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (eid) REFERENCES event(eid) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; CREATE TABLE opt ( optid INT UNSIGNED NOT NULL AUTO_INCREMENT, sid INT UNSIGNED NOT NULL, eid INT UNSIGNED NOT NULL, opt_proto TINYINT UNSIGNED NOT NULL, opt_code TINYINT UNSIGNED NOT NULL, opt_len SMALLINT, opt_data TEXT, PRIMARY KEY (optid), FOREIGN KEY (sid) REFERENCES sensor(sid) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (eid) REFERENCES event(eid) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; --------------------------------------------------------------------- -- REFERENCE DATA CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT, ref_system_name VARCHAR(20), PRIMARY KEY (ref_system_id)) ENGINE=InnoDB; CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, ref_system_id INT UNSIGNED NOT NULL, ref_tag TEXT NOT NULL, PRIMARY KEY (ref_id), FOREIGN KEY (ref_system_id) REFERENCES reference_system(ref_system_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; CREATE TABLE sig_reference ( sref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, sig_id INT UNSIGNED NOT NULL, ref_seq INT UNSIGNED NOT NULL, ref_id INT UNSIGNED NOT NULL, PRIMARY KEY(sref_id), FOREIGN KEY (sig_id) REFERENCES signature(sig_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; --------------------------------------------------------------------- -- SUPPORTING/REQUIRED DATA INSERT INTO control (schema_v, ctime) VALUES ('107',now()); INSERT INTO encoding (encoding_type, encoding_text) VALUES (0,'hex'); INSERT INTO encoding (encoding_type, encoding_text) VALUES (1,'base64'); INSERT INTO encoding (encoding_type, encoding_text) VALUES (2,'ascii'); INSERT INTO detail (detail_type, detail_text) VALUES (0,'fast'); INSERT INTO detail (detail_type, detail_text) VALUES (1, full'); --------------------------------------------------------------------- -- SUPPORTING/REQUIRED DATA THAT SHOULD BE MAINTAINED BY SNORT, SINCE -- IT CAN CHANGE ON A RECURRING BASIS, DEPENDING ON THE PREPROCESSORS -- ,VERSION, SIGNATURES, ETC. INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (1,'rules_subsystem','Snort Rules Engine'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (2,'tag_subsystem','Tagging Subsystem'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (100,'portscan','Portscan1'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (101,'minfrag','Minfrag [ removed ]'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (102,'http_decode','HTTP decode 1/2'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (103,'defrag','First defragmenter [ removed ]'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (104,'spade','SPADE [ not included anymore ]'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (105,'bo','Back Orifice'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (106,'rpc_decode','RPC Preprocessor'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (107,'stream2','2nd stream preprocessor [removed]'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (108,'stream3','3rd stream preprocessor (AVL nightmare) [ removed ]'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (109,'telnet_neg','telnet option decoder'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (110,'unidecode','unicode decoder'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (111,'stream4','Stream4 preprocessor'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (112,'arpspoof','Arp Spoof detector'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (113,'frag2','2nd fragment preprocessor'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (114,'fnord','NOP detector [ removed ]'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (115,'asn1','ASN.1 Validator [ removed ]'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (116,'decode','Snort Internal Decoder'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (117,'scan2','portscan2'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (118,'conversation','conversation'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (119,'reserved','TBA'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (120,'reserved','TBA'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (121,'snmp','Andrew Baker's newer SNMP decoder'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (122,'sfportscan','Dan Roelkers portscan'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (123,'frag3','Marty Roesch's ip frag reassembler'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (124,'smtp','SMTP decoder/normalizer'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (125,'ftp','FTP decoder'); INSERT INTO generator (gen_id, gen_name, gen_desc) VALUES (126,'telnet','telnet decoder/normalizer'); |
From: Michael S. <ms...@ma...> - 2006-08-23 09:02:53
|
On Tue, Aug 22, 2006 at 11:22:53PM -0400, Axton Grams wrote: > * use db triggers to capture aggregate data for large datasets > * capture event count per > * sig_class > * signature > * sensor > * tcp/udp/icmp packets I wouldn't do this. For large datasets these numbers are truely useless. For small datasets they're quick to generate. There's no point in bogging things down by forcing everybody to generate them at the schema level. > eid INT UNSIGNED NOT NULL AUTO_INCREMENT, > did INT UNSIGNED NOT NULL AUTO_INCREMENT, > iphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, > tcphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, > udphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, > icmphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, > optid INT UNSIGNED NOT NULL AUTO_INCREMENT, > ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > sref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, I'd suggest not having a seperate id for each table--there's no need. Just have one id per event that's a key into each. Mike Stone |
From: Axton <axt...@gm...> - 2006-08-23 14:18:02
|
On 8/23/06, Michael Stone <ms...@ma...> wrote: > On Tue, Aug 22, 2006 at 11:22:53PM -0400, Axton Grams wrote: > > * use db triggers to capture aggregate data for large datasets > > * capture event count per > > * sig_class > > * signature > > * sensor > > * tcp/udp/icmp packets > > I wouldn't do this. For large datasets these numbers are truely useless. > For small datasets they're quick to generate. There's no point in > bogging things down by forcing everybody to generate them at the schema > level. Noted on the counters. I'm trying to isolate where the bottlenecks are within BASE that can be addressed, thought the counter values were some of the bottlenecks. If the aggregate model is flat (one record with one column per aggregate value), then the update is very fast, but it does add one or more additional updates per event, which could slow down the inserts. > > > eid INT UNSIGNED NOT NULL AUTO_INCREMENT, > > did INT UNSIGNED NOT NULL AUTO_INCREMENT, > > iphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, > > tcphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, > > udphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, > > icmphdrid INT UNSIGNED NOT NULL AUTO_INCREMENT, > > optid INT UNSIGNED NOT NULL AUTO_INCREMENT, > > ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > > sref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > > I'd suggest not having a seperate id for each table--there's no need. > Just have one id per event that's a key into each. I was attempting to do two things: - reduce the primary key size - leave the possibility open for the data model to grow in any direction In the current schema, most of the tables to which I added an id were using a composite of the event_id and sendor_id as the pk. The idea (in my mind) is make the model normalized in the sense that each record in each table has it's own identity, and can be referenced by other tables if the data model grows in that direction. By using a composite (eid, cid) as the pk for the detail tables (e.g., iphdr), we are restricted from this type of growth . > > Mike Stone > Axton Grams |
From: Michael S. <ms...@ma...> - 2006-08-23 14:30:42
|
On Wed, Aug 23, 2006 at 10:17:53AM -0400, Axton wrote: >some of the bottlenecks. If the aggregate model is flat (one record >with one column per aggregate value), then the update is very fast, >but it does add one or more additional updates per event, which could >slow down the inserts. Bingo--it tremendously reduces the scalability of the inserts. >In the current schema, most of the tables to which I added an id were >using a composite of the event_id and sendor_id as the pk. The idea >(in my mind) is make the model normalized in the sense that each >record in each table has it's own identity, and can be referenced by >other tables if the data model grows in that direction. I'm not suggesting using a composite, I'm suggesting using *just* the eid for everything. That gives you a unique key for every row in each table, the relationships between them, and doesn't bloat up the table with a bunch of unnecessary keys. Mike Stone |
From: Axton G. <axt...@gm...> - 2006-08-26 01:33:41
|
Michael Stone wrote: > On Wed, Aug 23, 2006 at 11:40:20AM -0400, you wrote: >> What are your thoughts on the additional tables to store the rule, >> generator, generator_tag, and sid-msg.map data? Do you think this >> would be particularly useful information for use in the application >> presentation? > > I'm not sure why the generator table, e.g., isn't referenced from the > signature table. If it's not used by anything I don't see any point to > it. I'm also not sure I understand the references tables; why does the > sig_ref table exist at all, rather than the reference including the sig > id directly? > > Mike Stone > Lots of updates. Need someone with a critical eye to review what I have. Also, wasn't sure the best way to store ipv6 addresses (128bit), but used a varchar(16). Still working on a stored procedure that can be used to synthesize random data sets. There use of an intermediary reference table (was sig_reference, now ref_crossref) should become more clear now. It can allow the two base reference tables (system and reference) to store reference information for any record. Thanks, Axton Grams -- ------------------------------------------------------------------ -- Revision: 1.3 -- -- Description: This is a redesign of the snortdb schema that -- contains some simplifications, incorporations of newer database -- features, -- * incorporate fk constraints -- * removal of duplicate event_data (more normalized) -- -- Compatability: MySQL 4.0+ -- -- Updates 1.1 -- * removed last_cid from event_sensor table -- * added event_sigclass.sig_class_priority -- * added event_sigclass.sig_class_desc -- * removed event_signature.sig_priority; this is a copy if -- event_sigclass -- * new tables -- * created a rule table to store rule information -- * this is valuable for ref_references -- * event_signature -- * stores sid-msg.map event_data for ref_references -- * generators -- * Snort Generator Ids -- * use db triggers to capture aggregate event_data for large -- datasets -- * created a series of views to access common sets of event_data -- * renamed `schema` to snort_control, since schema is a reserved -- word -- ------------------------------------------------------------------ -- Updates 1.2 -- * split the opt table into two tables, one for ip and one for tcp -- * ip options - opt_ip -- * tcp options - snort_opt_tcp -- * corrected some invalid/missing pk/fk relationships -- * updated the address columns to be a event_data type of -- varchar(16) to allow it to store 128 bits of event_data with -- ipv6 addresses -- * added table for ipv6 headers - event_header_ipv6 -- * checked the format of icmp vs. icmpv6 and they are similar -- enough that the icmp tables can be shared for both protocols -- ------------------------------------------------------------------ -- Updates 1.3 -- * table names cleaned up -- * tables have one of three prefixes to denote their function -- * snort_ snort configuration data -- * ref_ external system reference data -- * event_ data pertaining to the environment(s) being logged -- * generator_tag table linked to events -- * column names cleaned up with a uniform naming style -- * because of the pk/fk constraints, it will probably be necessary -- for snort to check/load the config data at startup -- * added a new column to the control table to store the schema -- data version for this reason -- * comments added -- ------------------------------------------------------------------ -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- STATIC DATA TABLES/MANAGED BY SCHEMA VERSION -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- ------------------------------------------------------------------ -- TABLE: snort_control -- DESCRIPTION: Stores the schema control information -- COLUMNS: -- s_control_version_schema the version of the schema -- s_control_version_data the version of the schema -- s_control_created time schema was created -- s_control_created time schema was last updated -- ------------------------------------------------------------------ CREATE TABLE snort_control ( s_control_version INT UNSIGNED NOT NULL, s_control_created DATETIME NOT NULL, PRIMARY KEY (s_control_version)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_encoding -- DESCRIPTION: the format used to store event_data payload -- COLUMNS: -- s_encoding_type pk: enumeration of snort_encoding type -- 0 - hex -- 1 - base64 -- 2 - ascii -- description text representation of the type enumeration -- ------------------------------------------------------------------ CREATE TABLE snort_encoding ( s_encoding_type TINYINT UNSIGNED NOT NULL, s_encoding_description TEXT NOT NULL, PRIMARY KEY (s_encoding_type)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_detail -- DESCRIPTION: the database output plugin, the level of event_data -- to store -- COLUMNS: -- detail_type pk: enumeration of snort_detail type -- 0 - full -- 1 - fast -- detail_text text representation of the detail_type -- ------------------------------------------------------------------ CREATE TABLE snort_detail ( s_detail_type TINYINT UNSIGNED NOT NULL, s_detail_description TEXT NOT NULL, PRIMARY KEY (s_detail_type)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_option_ipv4 -- DESCRIPTION: ipv4 packet options descriptions -- http://www.iana.org/assignments/ip-parameters -- COLUMNS: -- s_option_ipv4_code option number (5 bits) -- s_option_ipv4_copy (1 bit) -- 0 - Do not copy -- 1 - Copy -- s_option_ipv4_class (2 bits) -- 0 - Control -- 1 - Reserved -- 2 - Debugging and measurement -- 3 - Reserved -- s_option_ipv4_value -- s_option_ipv4_name code/name of the option -- s_option_ipv4_desc descriptive name of the option -- s_option_ipv4_ref_id using reference system, references rfcs -- or other docs that describes the option -- ------------------------------------------------------------------ CREATE TABLE snort_option_ipv4 ( s_option_ipv4_code SMALLINT UNSIGNED NOT NULL, s_option_ipv4_copy TINYINT UNSIGNED, s_option_ipv4_class TINYINT UNSIGNED, s_option_ipv4_value TINYINT UNSIGNED, s_option_ipv4_name VARCHAR(10), s_option_ipv4_desc VARCHAR(50), s_option_ipv4_ref_id INT UNSIGNED, PRIMARY KEY (s_option_ipv4_code)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_option_tcp -- DESCRIPTION: tcp packet options descriptions -- http://www.iana.org/assignments/tcp-parameters -- COLUMNS: -- s_option_tcp_code option number (5 bits) -- s_option_tcp_length length of the option -- s_option_tcp_desc descriptive name of the option -- s_option_tcp_ref_id using reference system, references rfcs -- or other docs that describes the option -- ------------------------------------------------------------------ CREATE TABLE snort_option_tcp ( s_option_tcp_code SMALLINT UNSIGNED NOT NULL, s_option_tcp_length VARCHAR(5), s_option_tcp_desc VARCHAR(50), s_option_tcp_ref_id INT UNSIGNED, PRIMARY KEY (s_option_tcp_code)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_generator -- DESCRIPTION: preprocessors available in snort -- COLUMNS: -- s_generator_id pk: auto increment -- s_generator_name short name of the preprocessor -- s_generator_desc descriptive name of the preprocessor -- ------------------------------------------------------------------ CREATE TABLE snort_generator ( s_generator_id INT UNSIGNED NOT NULL, s_generator_name VARCHAR(60) NOT NULL, s_generator_desc VARCHAR(60) NOT NULL, PRIMARY KEY (s_generator_id)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_generator -- DESCRIPTION: preprocessors available in snort -- COLUMNS: -- s_generator_tag_id pk: auto-increment -- s_generator_id fk: snort_generator.s_generator_id -- s_generator_tag_subid subidentifier of s_generator_id; is -- unique per s_generator_id -- s_generator_tag_name name of the preprocessor subcat -- ------------------------------------------------------------------ CREATE TABLE snort_generator_tag ( s_generator_tag_id INT UNSIGNED NOT NULL AUTO_INCREMENT, s_generator_tag_subid INT UNSIGNED NOT NULL, s_generator_id INT UNSIGNED NOT NULL, s_generator_tag_name VARCHAR(60), PRIMARY KEY (s_generator_tag_id), FOREIGN KEY (s_generator_id) REFERENCES snort_generator(s_generator_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- REFERENCE SYSTEMS / REFERENCE DATA -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- ------------------------------------------------------------------ -- TABLE: ref_system -- DESCRIPTION: a list of the external systems used for reference -- data -- COLUMNS: -- r_system_id pk: auto-increment -- r_system_name descriptive name for the system (e.g., nessus) -- ------------------------------------------------------------------ CREATE TABLE ref_system ( r_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT, r_system_name VARCHAR(20), PRIMARY KEY (r_system_id)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: ref_references -- DESCRIPTION: unique reference within a reference system -- COLUMNS: -- r_references_id pk: auto-increment -- r_system_id fk: ref_system.ref_system_id -- r_references_tag detail data to cross-reference system in -- ref_system -- ------------------------------------------------------------------ CREATE TABLE ref_references ( r_references_id INT UNSIGNED NOT NULL AUTO_INCREMENT, r_system_id INT UNSIGNED NOT NULL, r_references_tag TEXT NOT NULL, PRIMARY KEY (r_references_id), FOREIGN KEY (r_system_id) REFERENCES ref_system(r_system_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: ref_crossref -- DESCRIPTION: association table for reference systems to detail -- records -- COLUMNS: -- r_crossref_id pk: auto-increment -- r_references_id fk: ref_references.r_references_id -- r_crossref_type enumeration for the record type: -- 0 - signature -- 1 - tcp_header -- r_crossref_ext_id weak fk: the pk of the form to which the -- defined reference is associated (e.g., sig_id) -- ------------------------------------------------------------------ CREATE TABLE ref_crossref ( r_crossref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, r_references_id INT UNSIGNED NOT NULL, r_crossref_type TINYINT UNSIGNED NOT NULL, r_crossref_ext_id INT UNSIGNED NOT NULL, PRIMARY KEY(r_crossref_id), FOREIGN KEY (r_references_id) REFERENCES ref_references(r_references_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- EVENT AND RELATED TABLES -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- ------------------------------------------------------------------ -- TABLE: event_sensor -- DESCRIPTION: stores a list of all snort sensors that have logged -- to this -- COLUMNS: -- e_sensor_id pk: event_sensor id -- e_sensor_hostname hostname/ip of the event_sensor -- e_sensor_interface network interface -- e_sensor_filter ignore_bpf -- s_detail_type fk: snort_detail.s_detail_type -- s_encoding_type fk: snort_encoding.s_encoding_type -- ------------------------------------------------------------------ CREATE TABLE event_sensor ( e_sensor_id INT UNSIGNED NOT NULL AUTO_INCREMENT, e_sensor_hostname TEXT, e_sensor_interface TEXT, e_sensor_filter TEXT, s_detail_type TINYINT UNSIGNED, s_encoding_type TINYINT UNSIGNED, PRIMARY KEY (e_sensor_id), FOREIGN KEY (s_encoding_type) REFERENCES snort_encoding(s_encoding_type) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (s_detail_type) REFERENCES snort_detail(s_detail_type) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_sigclass -- DESCRIPTION: stores a list of unique signature classifications -- e.g., 2-attempted-recon. see classification.config -- COLUMNS: -- e_sigclass_id pk: auto-increment -- e_sigclass_name short name of the classification -- e_sigclass_priority priority configured for the classification -- e_sigclass_desc descriptive name fo the classification -- ------------------------------------------------------------------ CREATE TABLE event_sigclass ( e_sigclass_id INT UNSIGNED NOT NULL AUTO_INCREMENT, e_sigclass_name VARCHAR(60) NOT NULL, e_sigclass_priority INT NOT NULL, e_sigclass_desc VARCHAR(60) NOT NULL, PRIMARY KEY (e_sigclass_id)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_signature -- DESCRIPTION: stores a list of unique signatures logged by all -- sensors. see sid-msg.map -- COLUMNS: -- e_sig_id pk: auto-increment -- e_sig_name -- e_sigclass_id -- e_sig_rev -- e_sig_sid -- e_sig_gid -- ------------------------------------------------------------------ CREATE TABLE event_signature ( e_sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT, e_sig_name VARCHAR(255) NOT NULL, e_sigclass_id INT UNSIGNED NOT NULL, e_sig_rev INT UNSIGNED, e_sig_sid INT UNSIGNED, e_sig_gid INT UNSIGNED, PRIMARY KEY (e_sig_id), FOREIGN KEY (e_sigclass_id) REFERENCES event_sigclass(e_sigclass_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_event -- DESCRIPTION: alerts -- COLUMNS: -- e_event_id pk: eventid -- fk: event_event.e_event_id -- e_sensor_id fk: event_sendsor.e_sensor_id -- e_sig_id fk: event_signature.e_sig_id -- s_generator_tag_id fk: snort_generator_tag.s_generator_tag_id -- e_event_timestamp the time of the alert -- ------------------------------------------------------------------ CREATE TABLE event_event ( e_event_id INT UNSIGNED NOT NULL AUTO_INCREMENT, e_sensor_id INT UNSIGNED NOT NULL, e_sig_id INT UNSIGNED NOT NULL, s_generator_tag_id INT UNSIGNED NOT NULL, e_event_timestamp DATETIME NOT NULL, PRIMARY KEY (e_event_id), FOREIGN KEY (e_sensor_id) REFERENCES event_sensor(e_sensor_id) ON UPDATE CASCADE ON DELETE RESTRICT, FOREIGN KEY (e_sig_id) REFERENCES event_signature(e_sig_id) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (s_generator_tag_id) REFERENCES snort_generator_tag(s_generator_tag_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_data -- DESCRIPTION: stores packet payload for events -- COLUMNS: -- e_event_id pk: eventid -- fk: event_event.e_event_id -- e_data_payloadthe packet contents that triggered an alert -- ------------------------------------------------------------------ CREATE TABLE event_data ( e_event_id INT UNSIGNED NOT NULL, e_data_payload TEXT, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_event(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_ipv4 -- DESCRIPTION: stores ipv4 packet header data for events -- COLUMNS: -- e_event_id pk: eventid -- fk: event_event.e_event_id -- e_header_ipv4_src source ip address (32-bit) -- e_header_ipv4_dst destination ip address (32-bit) -- e_header_ipv4_ver -- e_header_ipv4_hlen -- e_header_ipv4_tos -- e_header_ipv4_len -- e_header_ipv4_id -- e_header_ipv4_flags -- e_header_ipv4_off -- e_header_ipv4_ttl -- e_header_ipv4_proto -- e_header_ipv4_csum -- ------------------------------------------------------------------ CREATE TABLE event_header_ipv4 ( e_event_id INT UNSIGNED NOT NULL, e_header_ipv4_src INT UNSIGNED NOT NULL, e_header_ipv4_dst INT UNSIGNED NOT NULL, e_header_ipv4_ver TINYINT UNSIGNED, e_header_ipv4_hlen TINYINT UNSIGNED, e_header_ipv4_tos TINYINT UNSIGNED, e_header_ipv4_len SMALLINT UNSIGNED, e_header_ipv4_id SMALLINT UNSIGNED, e_header_ipv4_flags TINYINT UNSIGNED, e_header_ipv4_off SMALLINT UNSIGNED, e_header_ipv4_ttl TINYINT UNSIGNED, e_header_ipv4_proto TINYINT UNSIGNED NOT NULL, e_header_ipv4_csum SMALLINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_event(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_ipv6 -- DESCRIPTION: stores ipv6 packet header data for events -- COLUMNS: -- e_event_id pk: eventid -- fk: event_event.e_event_id -- e_header_ipv6_src 128 bits -- e_header_ipv6_dst 128 bits -- e_header_ipv6_ver 4 bit IP version -- e_header_ipv6_priority 8 bits, Packet Priority -- e_header_ipv6_flow 20 bits, QoS management -- e_header_ipv6_length 16 bits -- e_header_ipv6_nextheader 8 bits -- e_header_ipv6_hoplimit 8 bits, ttl -- ------------------------------------------------------------------ CREATE TABLE event_header_ipv6 ( e_event_id INT UNSIGNED NOT NULL, e_header_ipv6_src VARCHAR(16), e_header_ipv6_dst VARCHAR(16), e_header_ipv6_ver TINYINT UNSIGNED, e_header_ipv6_priority TINYINT UNSIGNED, e_header_ipv6_flow MEDIUMINT UNSIGNED, e_header_ipv6_length SMALLINT UNSIGNED, e_header_ipv6_nextheader TINYINT UNSIGNED, e_header_ipv6_hoplimit TINYINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_event(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_tcp -- DESCRIPTION: stores tcp packet header data for events -- COLUMNS: -- e_event_id pk: eventid -- fk: event_event.e_event_id -- e_header_tcp_sport source port -- e_header_tcp_dport destination port -- e_header_tcp_seq -- e_header_tcp_ack -- e_header_tcp_off -- e_header_tcp_res -- e_header_tcp_flags -- e_header_tcp_win -- e_header_tcp_csum checksum -- e_header_tcp_urp -- ------------------------------------------------------------------ CREATE TABLE event_header_tcp ( e_event_id INT UNSIGNED NOT NULL, e_header_tcp_sport SMALLINT UNSIGNED NOT NULL, e_header_tcp_dport SMALLINT UNSIGNED NOT NULL, e_header_tcp_seq INT UNSIGNED, e_header_tcp_ack INT UNSIGNED, e_header_tcp_off TINYINT UNSIGNED, e_header_tcp_res TINYINT UNSIGNED, e_header_tcp_flags TINYINT UNSIGNED NOT NULL, e_header_tcp_win SMALLINT UNSIGNED, e_header_tcp_csum SMALLINT UNSIGNED, e_header_tcp_urp SMALLINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_event(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_udp -- DESCRIPTION: stores udp packet header data for events -- COLUMNS: -- e_event_id pk: eventid -- fk: event_event.e_event_id -- e_header_udp_sport source port -- e_header_udp_dport destination port -- e_header_udp_len -- e_header_udp_csum checksum -- ------------------------------------------------------------------ CREATE TABLE event_header_udp ( e_event_id INT UNSIGNED NOT NULL, e_header_udp_sport SMALLINT UNSIGNED NOT NULL, e_header_udp_dport SMALLINT UNSIGNED NOT NULL, e_header_udp_len INT UNSIGNED, e_header_udp_csum SMALLINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_event(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_icmp -- DESCRIPTION: stores icmp and icmpv6 packet header data for events -- COLUMNS: -- e_event_id: pk: eventid -- fk: event_event.e_event_id -- e_header_icmp_type 8 bit -- e_header_icmp_code 8 bit -- e_header_icmp_csum 16 bit, checksum -- e_header_icmp_id -- e_header_icmp_seq -- ------------------------------------------------------------------ CREATE TABLE event_header_icmp ( e_event_id INT UNSIGNED NOT NULL, e_header_icmp_type TINYINT UNSIGNED NOT NULL, e_header_icmp_code TINYINT UNSIGNED NOT NULL, e_header_icmp_csum SMALLINT UNSIGNED, e_header_icmp_id SMALLINT UNSIGNED, e_header_icmp_seq SMALLINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_event(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_option_ipv4 -- DESCRIPTION: ipv4 options for events (ipv6 does not have options) -- COLUMNS: -- e_event_id pk: eventid -- fk: event_event.e_event_id -- s_option_ipv4_code fk: snort_option_ipv4.s_option_ipv4_code -- e_option_opt_len length of the option code and event_data -- e_option_opt_data option data -- ------------------------------------------------------------------ CREATE TABLE event_option_ipv4 ( e_event_id INT UNSIGNED NOT NULL, s_option_ipv4_code SMALLINT UNSIGNED NOT NULL, e_option_opt_length INT, e_option_opt_data TEXT, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_event(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (s_option_ipv4_code) REFERENCES snort_option_ipv4(s_option_ipv4_code) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_option_tcp -- DESCRIPTION: tcp options for events -- http://www.iana.org/assignments/tcp-parameters -- COLUMNS: -- e_event_id option number (5 bits) -- s_option_tcp_code -- e_option_tcp_length descriptive name of the option -- e_option_tcp_desc -- ------------------------------------------------------------------ CREATE TABLE event_option_tcp ( e_event_id INT UNSIGNED NOT NULL, s_option_tcp_code SMALLINT UNSIGNED NOT NULL, e_option_tcp_length INT, e_option_tcp_data TEXT, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_event(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (s_option_tcp_code) REFERENCES snort_option_tcp(s_option_tcp_code) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; |
From: Sean G M. <sea...@ru...> - 2006-08-26 13:18:57
|
On Friday 25 August 2006 21:33, Axton Grams wrote: > Michael Stone wrote: > > On Wed, Aug 23, 2006 at 11:40:20AM -0400, you wrote: > >> What are your thoughts on the additional tables to store the rule, > >> generator, generator_tag, and sid-msg.map data? Do you think this > >> would be particularly useful information for use in the application > >> presentation? > > > > I'm not sure why the generator table, e.g., isn't referenced from the > > signature table. If it's not used by anything I don't see any point to > > it. I'm also not sure I understand the references tables; why does the > > sig_ref table exist at all, rather than the reference including the sig > > id directly? > > > > Mike Stone > > Lots of updates. Need someone with a critical eye to review what I > have. Also, wasn't sure the best way to store ipv6 addresses (128bit), > but used a varchar(16). Would it be possible to covert the hex pairing to decimal and store it as a numeric entry. I have had some problems with ipv4 and ipv6 stored as varchar. A quick conversion program can display it in the readable format. > Still working on a stored procedure that can be > used to synthesize random data sets. > > There use of an intermediary reference table (was sig_reference, now > ref_crossref) should become more clear now. It can allow the two base > reference tables (system and reference) to store reference information > for any record. > > Thanks, > Axton Grams > > > -- ------------------------------------------------------------------ > -- Revision: 1.3 > -- > -- Description: This is a redesign of the snortdb schema that > -- contains some simplifications, incorporations of newer database > -- features, > -- * incorporate fk constraints > -- * removal of duplicate event_data (more normalized) > -- > -- Compatability: MySQL 4.0+ > -- > -- Updates 1.1 > -- * removed last_cid from event_sensor table > -- * added event_sigclass.sig_class_priority > -- * added event_sigclass.sig_class_desc > -- * removed event_signature.sig_priority; this is a copy if > -- event_sigclass > -- * new tables > -- * created a rule table to store rule information > -- * this is valuable for ref_references > -- * event_signature > -- * stores sid-msg.map event_data for ref_references > -- * generators > -- * Snort Generator Ids > -- * use db triggers to capture aggregate event_data for large > -- datasets > -- * created a series of views to access common sets of event_data > -- * renamed `schema` to snort_control, since schema is a reserved > -- word > -- ------------------------------------------------------------------ > -- Updates 1.2 > -- * split the opt table into two tables, one for ip and one for tcp > -- * ip options - opt_ip > -- * tcp options - snort_opt_tcp > -- * corrected some invalid/missing pk/fk relationships > -- * updated the address columns to be a event_data type of > -- varchar(16) to allow it to store 128 bits of event_data with > -- ipv6 addresses > -- * added table for ipv6 headers - event_header_ipv6 > -- * checked the format of icmp vs. icmpv6 and they are similar > -- enough that the icmp tables can be shared for both protocols > -- ------------------------------------------------------------------ > -- Updates 1.3 > -- * table names cleaned up > -- * tables have one of three prefixes to denote their function > -- * snort_ snort configuration data > -- * ref_ external system reference data > -- * event_ data pertaining to the environment(s) being logged > -- * generator_tag table linked to events > -- * column names cleaned up with a uniform naming style > -- * because of the pk/fk constraints, it will probably be necessary > -- for snort to check/load the config data at startup > -- * added a new column to the control table to store the schema > -- data version for this reason > -- * comments added > -- ------------------------------------------------------------------ > > -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > -- STATIC DATA TABLES/MANAGED BY SCHEMA VERSION > -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > -- ------------------------------------------------------------------ > -- TABLE: snort_control > -- DESCRIPTION: Stores the schema control information > -- COLUMNS: > -- s_control_version_schema the version of the schema > -- s_control_version_data the version of the schema > -- s_control_created time schema was created > -- s_control_created time schema was last updated > -- ------------------------------------------------------------------ > CREATE TABLE snort_control ( > s_control_version INT UNSIGNED NOT NULL, > s_control_created DATETIME NOT NULL, > PRIMARY KEY (s_control_version)) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: snort_encoding > -- DESCRIPTION: the format used to store event_data payload > -- COLUMNS: > -- s_encoding_type pk: enumeration of snort_encoding type > -- 0 - hex > -- 1 - base64 > -- 2 - ascii > -- description text representation of the type enumeration > -- ------------------------------------------------------------------ > CREATE TABLE snort_encoding ( > s_encoding_type TINYINT UNSIGNED NOT NULL, > s_encoding_description TEXT NOT NULL, > PRIMARY KEY (s_encoding_type)) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: snort_detail > -- DESCRIPTION: the database output plugin, the level of event_data > -- to store > -- COLUMNS: > -- detail_type pk: enumeration of snort_detail type > -- 0 - full > -- 1 - fast > -- detail_text text representation of the detail_type > -- ------------------------------------------------------------------ > CREATE TABLE snort_detail ( > s_detail_type TINYINT UNSIGNED NOT NULL, > s_detail_description TEXT NOT NULL, > PRIMARY KEY (s_detail_type)) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: snort_option_ipv4 > -- DESCRIPTION: ipv4 packet options descriptions > -- http://www.iana.org/assignments/ip-parameters > -- COLUMNS: > -- s_option_ipv4_code option number (5 bits) > -- s_option_ipv4_copy (1 bit) > -- 0 - Do not copy > -- 1 - Copy > -- s_option_ipv4_class (2 bits) > -- 0 - Control > -- 1 - Reserved > -- 2 - Debugging and measurement > -- 3 - Reserved > -- s_option_ipv4_value > -- s_option_ipv4_name code/name of the option > -- s_option_ipv4_desc descriptive name of the option > -- s_option_ipv4_ref_id using reference system, references rfcs > -- or other docs that describes the option > -- ------------------------------------------------------------------ > CREATE TABLE snort_option_ipv4 ( > s_option_ipv4_code SMALLINT UNSIGNED NOT NULL, > s_option_ipv4_copy TINYINT UNSIGNED, > s_option_ipv4_class TINYINT UNSIGNED, > s_option_ipv4_value TINYINT UNSIGNED, > s_option_ipv4_name VARCHAR(10), > s_option_ipv4_desc VARCHAR(50), > s_option_ipv4_ref_id INT UNSIGNED, > PRIMARY KEY (s_option_ipv4_code)) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: snort_option_tcp > -- DESCRIPTION: tcp packet options descriptions > -- http://www.iana.org/assignments/tcp-parameters > -- COLUMNS: > -- s_option_tcp_code option number (5 bits) > -- s_option_tcp_length length of the option > -- s_option_tcp_desc descriptive name of the option > -- s_option_tcp_ref_id using reference system, references rfcs > -- or other docs that describes the option > -- ------------------------------------------------------------------ > CREATE TABLE snort_option_tcp ( > s_option_tcp_code SMALLINT UNSIGNED NOT NULL, > s_option_tcp_length VARCHAR(5), > s_option_tcp_desc VARCHAR(50), > s_option_tcp_ref_id INT UNSIGNED, > PRIMARY KEY (s_option_tcp_code)) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: snort_generator > -- DESCRIPTION: preprocessors available in snort > -- COLUMNS: > -- s_generator_id pk: auto increment > -- s_generator_name short name of the preprocessor > -- s_generator_desc descriptive name of the preprocessor > -- ------------------------------------------------------------------ > CREATE TABLE snort_generator ( > s_generator_id INT UNSIGNED NOT NULL, > s_generator_name VARCHAR(60) NOT NULL, > s_generator_desc VARCHAR(60) NOT NULL, > PRIMARY KEY (s_generator_id)) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: snort_generator > -- DESCRIPTION: preprocessors available in snort > -- COLUMNS: > -- s_generator_tag_id pk: auto-increment > -- s_generator_id fk: snort_generator.s_generator_id > -- s_generator_tag_subid subidentifier of s_generator_id; is > -- unique per s_generator_id > -- s_generator_tag_name name of the preprocessor subcat > -- ------------------------------------------------------------------ > CREATE TABLE snort_generator_tag ( > s_generator_tag_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > s_generator_tag_subid INT UNSIGNED NOT NULL, > s_generator_id INT UNSIGNED NOT NULL, > s_generator_tag_name VARCHAR(60), > PRIMARY KEY (s_generator_tag_id), > FOREIGN KEY (s_generator_id) > REFERENCES snort_generator(s_generator_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > > -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > -- REFERENCE SYSTEMS / REFERENCE DATA > -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > -- ------------------------------------------------------------------ > -- TABLE: ref_system > -- DESCRIPTION: a list of the external systems used for reference > -- data > -- COLUMNS: > -- r_system_id pk: auto-increment > -- r_system_name descriptive name for the system (e.g., nessus) > -- ------------------------------------------------------------------ > CREATE TABLE ref_system ( > r_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > r_system_name VARCHAR(20), > PRIMARY KEY (r_system_id)) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: ref_references > -- DESCRIPTION: unique reference within a reference system > -- COLUMNS: > -- r_references_id pk: auto-increment > -- r_system_id fk: ref_system.ref_system_id > -- r_references_tag detail data to cross-reference system in > -- ref_system > -- ------------------------------------------------------------------ > CREATE TABLE ref_references ( > r_references_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > r_system_id INT UNSIGNED NOT NULL, > r_references_tag TEXT NOT NULL, > PRIMARY KEY (r_references_id), > FOREIGN KEY (r_system_id) > REFERENCES ref_system(r_system_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: ref_crossref > -- DESCRIPTION: association table for reference systems to detail > -- records > -- COLUMNS: > -- r_crossref_id pk: auto-increment > -- r_references_id fk: ref_references.r_references_id > -- r_crossref_type enumeration for the record type: > -- 0 - signature > -- 1 - tcp_header > -- r_crossref_ext_id weak fk: the pk of the form to which the > -- defined reference is associated (e.g., sig_id) > -- ------------------------------------------------------------------ > CREATE TABLE ref_crossref ( > r_crossref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > r_references_id INT UNSIGNED NOT NULL, > r_crossref_type TINYINT UNSIGNED NOT NULL, > r_crossref_ext_id INT UNSIGNED NOT NULL, > PRIMARY KEY(r_crossref_id), > FOREIGN KEY (r_references_id) > REFERENCES ref_references(r_references_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > > -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > -- EVENT AND RELATED TABLES > -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > -- ------------------------------------------------------------------ > -- TABLE: event_sensor > -- DESCRIPTION: stores a list of all snort sensors that have logged > -- to this > -- COLUMNS: > -- e_sensor_id pk: event_sensor id > -- e_sensor_hostname hostname/ip of the event_sensor > -- e_sensor_interface network interface > -- e_sensor_filter ignore_bpf > -- s_detail_type fk: snort_detail.s_detail_type > -- s_encoding_type fk: snort_encoding.s_encoding_type > -- ------------------------------------------------------------------ > CREATE TABLE event_sensor ( > e_sensor_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > e_sensor_hostname TEXT, > e_sensor_interface TEXT, > e_sensor_filter TEXT, > s_detail_type TINYINT UNSIGNED, > s_encoding_type TINYINT UNSIGNED, > PRIMARY KEY (e_sensor_id), > FOREIGN KEY (s_encoding_type) > REFERENCES snort_encoding(s_encoding_type) > ON UPDATE CASCADE > ON DELETE CASCADE, > FOREIGN KEY (s_detail_type) > REFERENCES snort_detail(s_detail_type) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_sigclass > -- DESCRIPTION: stores a list of unique signature classifications > -- e.g., 2-attempted-recon. see classification.config > -- COLUMNS: > -- e_sigclass_id pk: auto-increment > -- e_sigclass_name short name of the classification > -- e_sigclass_priority priority configured for the classification > -- e_sigclass_desc descriptive name fo the classification > -- ------------------------------------------------------------------ > CREATE TABLE event_sigclass ( > e_sigclass_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > e_sigclass_name VARCHAR(60) NOT NULL, > e_sigclass_priority INT NOT NULL, > e_sigclass_desc VARCHAR(60) NOT NULL, > PRIMARY KEY (e_sigclass_id)) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_signature > -- DESCRIPTION: stores a list of unique signatures logged by all > -- sensors. see sid-msg.map > -- COLUMNS: > -- e_sig_id pk: auto-increment > -- e_sig_name > -- e_sigclass_id > -- e_sig_rev > -- e_sig_sid > -- e_sig_gid > -- ------------------------------------------------------------------ > CREATE TABLE event_signature ( > e_sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > e_sig_name VARCHAR(255) NOT NULL, > e_sigclass_id INT UNSIGNED NOT NULL, > e_sig_rev INT UNSIGNED, > e_sig_sid INT UNSIGNED, > e_sig_gid INT UNSIGNED, > PRIMARY KEY (e_sig_id), > FOREIGN KEY (e_sigclass_id) > REFERENCES event_sigclass(e_sigclass_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_event > -- DESCRIPTION: alerts > -- COLUMNS: > -- e_event_id pk: eventid > -- fk: event_event.e_event_id > -- e_sensor_id fk: event_sendsor.e_sensor_id > -- e_sig_id fk: event_signature.e_sig_id > -- s_generator_tag_id fk: snort_generator_tag.s_generator_tag_id > -- e_event_timestamp the time of the alert > -- ------------------------------------------------------------------ > CREATE TABLE event_event ( > e_event_id INT UNSIGNED NOT NULL AUTO_INCREMENT, > e_sensor_id INT UNSIGNED NOT NULL, > e_sig_id INT UNSIGNED NOT NULL, > s_generator_tag_id INT UNSIGNED NOT NULL, > e_event_timestamp DATETIME NOT NULL, > PRIMARY KEY (e_event_id), > FOREIGN KEY (e_sensor_id) > REFERENCES event_sensor(e_sensor_id) > ON UPDATE CASCADE > ON DELETE RESTRICT, > FOREIGN KEY (e_sig_id) > REFERENCES event_signature(e_sig_id) > ON UPDATE CASCADE > ON DELETE CASCADE, > FOREIGN KEY (s_generator_tag_id) > REFERENCES snort_generator_tag(s_generator_tag_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_data > -- DESCRIPTION: stores packet payload for events > -- COLUMNS: > -- e_event_id pk: eventid > -- fk: event_event.e_event_id > -- e_data_payloadthe packet contents that triggered an alert > -- ------------------------------------------------------------------ > CREATE TABLE event_data ( > e_event_id INT UNSIGNED NOT NULL, > e_data_payload TEXT, > PRIMARY KEY (e_event_id), > FOREIGN KEY (e_event_id) > REFERENCES event_event(e_event_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_header_ipv4 > -- DESCRIPTION: stores ipv4 packet header data for events > -- COLUMNS: > -- e_event_id pk: eventid > -- fk: event_event.e_event_id > -- e_header_ipv4_src source ip address (32-bit) > -- e_header_ipv4_dst destination ip address (32-bit) > -- e_header_ipv4_ver > -- e_header_ipv4_hlen > -- e_header_ipv4_tos > -- e_header_ipv4_len > -- e_header_ipv4_id > -- e_header_ipv4_flags > -- e_header_ipv4_off > -- e_header_ipv4_ttl > -- e_header_ipv4_proto > -- e_header_ipv4_csum > -- ------------------------------------------------------------------ > CREATE TABLE event_header_ipv4 ( > e_event_id INT UNSIGNED NOT NULL, > e_header_ipv4_src INT UNSIGNED NOT NULL, > e_header_ipv4_dst INT UNSIGNED NOT NULL, > e_header_ipv4_ver TINYINT UNSIGNED, > e_header_ipv4_hlen TINYINT UNSIGNED, > e_header_ipv4_tos TINYINT UNSIGNED, > e_header_ipv4_len SMALLINT UNSIGNED, > e_header_ipv4_id SMALLINT UNSIGNED, > e_header_ipv4_flags TINYINT UNSIGNED, > e_header_ipv4_off SMALLINT UNSIGNED, > e_header_ipv4_ttl TINYINT UNSIGNED, > e_header_ipv4_proto TINYINT UNSIGNED NOT NULL, > e_header_ipv4_csum SMALLINT UNSIGNED, > PRIMARY KEY (e_event_id), > FOREIGN KEY (e_event_id) > REFERENCES event_event(e_event_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_header_ipv6 > -- DESCRIPTION: stores ipv6 packet header data for events > -- COLUMNS: > -- e_event_id pk: eventid > -- fk: event_event.e_event_id > -- e_header_ipv6_src 128 bits > -- e_header_ipv6_dst 128 bits > -- e_header_ipv6_ver 4 bit IP version > -- e_header_ipv6_priority 8 bits, Packet Priority > -- e_header_ipv6_flow 20 bits, QoS management > -- e_header_ipv6_length 16 bits > -- e_header_ipv6_nextheader 8 bits > -- e_header_ipv6_hoplimit 8 bits, ttl > -- ------------------------------------------------------------------ > CREATE TABLE event_header_ipv6 ( > e_event_id INT UNSIGNED NOT NULL, > e_header_ipv6_src VARCHAR(16), > e_header_ipv6_dst VARCHAR(16), > e_header_ipv6_ver TINYINT UNSIGNED, > e_header_ipv6_priority TINYINT UNSIGNED, > e_header_ipv6_flow MEDIUMINT UNSIGNED, > e_header_ipv6_length SMALLINT UNSIGNED, > e_header_ipv6_nextheader TINYINT UNSIGNED, > e_header_ipv6_hoplimit TINYINT UNSIGNED, > PRIMARY KEY (e_event_id), > FOREIGN KEY (e_event_id) > REFERENCES event_event(e_event_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_header_tcp > -- DESCRIPTION: stores tcp packet header data for events > -- COLUMNS: > -- e_event_id pk: eventid > -- fk: event_event.e_event_id > -- e_header_tcp_sport source port > -- e_header_tcp_dport destination port > -- e_header_tcp_seq > -- e_header_tcp_ack > -- e_header_tcp_off > -- e_header_tcp_res > -- e_header_tcp_flags > -- e_header_tcp_win > -- e_header_tcp_csum checksum > -- e_header_tcp_urp > -- ------------------------------------------------------------------ > CREATE TABLE event_header_tcp ( > e_event_id INT UNSIGNED NOT NULL, > e_header_tcp_sport SMALLINT UNSIGNED NOT NULL, > e_header_tcp_dport SMALLINT UNSIGNED NOT NULL, > e_header_tcp_seq INT UNSIGNED, > e_header_tcp_ack INT UNSIGNED, > e_header_tcp_off TINYINT UNSIGNED, > e_header_tcp_res TINYINT UNSIGNED, > e_header_tcp_flags TINYINT UNSIGNED NOT NULL, > e_header_tcp_win SMALLINT UNSIGNED, > e_header_tcp_csum SMALLINT UNSIGNED, > e_header_tcp_urp SMALLINT UNSIGNED, > PRIMARY KEY (e_event_id), > FOREIGN KEY (e_event_id) > REFERENCES event_event(e_event_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_header_udp > -- DESCRIPTION: stores udp packet header data for events > -- COLUMNS: > -- e_event_id pk: eventid > -- fk: event_event.e_event_id > -- e_header_udp_sport source port > -- e_header_udp_dport destination port > -- e_header_udp_len > -- e_header_udp_csum checksum > -- ------------------------------------------------------------------ > CREATE TABLE event_header_udp ( > e_event_id INT UNSIGNED NOT NULL, > e_header_udp_sport SMALLINT UNSIGNED NOT NULL, > e_header_udp_dport SMALLINT UNSIGNED NOT NULL, > e_header_udp_len INT UNSIGNED, > e_header_udp_csum SMALLINT UNSIGNED, > PRIMARY KEY (e_event_id), > FOREIGN KEY (e_event_id) > REFERENCES event_event(e_event_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_header_icmp > -- DESCRIPTION: stores icmp and icmpv6 packet header data for events > -- COLUMNS: > -- e_event_id: pk: eventid > -- fk: event_event.e_event_id > -- e_header_icmp_type 8 bit > -- e_header_icmp_code 8 bit > -- e_header_icmp_csum 16 bit, checksum > -- e_header_icmp_id > -- e_header_icmp_seq > -- ------------------------------------------------------------------ > CREATE TABLE event_header_icmp ( > e_event_id INT UNSIGNED NOT NULL, > e_header_icmp_type TINYINT UNSIGNED NOT NULL, > e_header_icmp_code TINYINT UNSIGNED NOT NULL, > e_header_icmp_csum SMALLINT UNSIGNED, > e_header_icmp_id SMALLINT UNSIGNED, > e_header_icmp_seq SMALLINT UNSIGNED, > PRIMARY KEY (e_event_id), > FOREIGN KEY (e_event_id) > REFERENCES event_event(e_event_id) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_option_ipv4 > -- DESCRIPTION: ipv4 options for events (ipv6 does not have options) > -- COLUMNS: > -- e_event_id pk: eventid > -- fk: event_event.e_event_id > -- s_option_ipv4_code fk: snort_option_ipv4.s_option_ipv4_code > -- e_option_opt_len length of the option code and event_data > -- e_option_opt_data option data > -- ------------------------------------------------------------------ > CREATE TABLE event_option_ipv4 ( > e_event_id INT UNSIGNED NOT NULL, > s_option_ipv4_code SMALLINT UNSIGNED NOT NULL, > e_option_opt_length INT, > e_option_opt_data TEXT, > PRIMARY KEY (e_event_id), > FOREIGN KEY (e_event_id) > REFERENCES event_event(e_event_id) > ON UPDATE CASCADE > ON DELETE CASCADE, > FOREIGN KEY (s_option_ipv4_code) > REFERENCES snort_option_ipv4(s_option_ipv4_code) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > -- ------------------------------------------------------------------ > -- TABLE: event_option_tcp > -- DESCRIPTION: tcp options for events > -- http://www.iana.org/assignments/tcp-parameters > -- COLUMNS: > -- e_event_id option number (5 bits) > -- s_option_tcp_code > -- e_option_tcp_length descriptive name of the option > -- e_option_tcp_desc > -- ------------------------------------------------------------------ > CREATE TABLE event_option_tcp ( > e_event_id INT UNSIGNED NOT NULL, > s_option_tcp_code SMALLINT UNSIGNED NOT NULL, > e_option_tcp_length INT, > e_option_tcp_data TEXT, > PRIMARY KEY (e_event_id), > FOREIGN KEY (e_event_id) > REFERENCES event_event(e_event_id) > ON UPDATE CASCADE > ON DELETE CASCADE, > FOREIGN KEY (s_option_tcp_code) > REFERENCES snort_option_tcp(s_option_tcp_code) > ON UPDATE CASCADE > ON DELETE CASCADE) > ENGINE=InnoDB; > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Secureideas-base-devel mailing list > Sec...@li... > https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel |
From: Axton G. <axt...@gm...> - 2006-08-26 14:52:17
|
Sean G Muller wrote: > On Friday 25 August 2006 21:33, Axton Grams wrote: >> Michael Stone wrote: >>> On Wed, Aug 23, 2006 at 11:40:20AM -0400, you wrote: >>>> What are your thoughts on the additional tables to store the rule, >>>> generator, generator_tag, and sid-msg.map data? Do you think this >>>> would be particularly useful information for use in the application >>>> presentation? >>> I'm not sure why the generator table, e.g., isn't referenced from the >>> signature table. If it's not used by anything I don't see any point to >>> it. I'm also not sure I understand the references tables; why does the >>> sig_ref table exist at all, rather than the reference including the sig >>> id directly? >>> >>> Mike Stone >> Lots of updates. Need someone with a critical eye to review what I >> have. Also, wasn't sure the best way to store ipv6 addresses (128bit), >> but used a varchar(16). > Would it be possible to covert the hex pairing to decimal and store it as a > numeric entry. I have had some problems with ipv4 and ipv6 stored as varchar. > A quick conversion program can display it in the readable format. > If it is possible, I'm not seeing how. Here are the numeric data types for mysql: TINYINT 1 byte SMALLINT 2 bytes MEDIUMINT 3 bytes INT 4 bytes BIGINT 8 bytes floating point (single precision) 4 bytes floating point (double-precision) 8 bytes None of these get close to the 16 bytes(128 bits) needed to store the address. I was expecting the addresses to be stored in the decimal notation currently used for the ipv4 addresses, just in a varchar field. For postgresql, there is a native data type, inet, that stores ipv4 and/or ipv6 network addresses/networks. One thing I want to have persistent is the access mechanism between the various databases. I wonder if it is possible to create a user defined data type within mysql that mimics the inet data type within postgresql. Axton Grams >> Still working on a stored procedure that can be >> used to synthesize random data sets. >> >> There use of an intermediary reference table (was sig_reference, now >> ref_crossref) should become more clear now. It can allow the two base >> reference tables (system and reference) to store reference information >> for any record. >> >> Thanks, >> Axton Grams |
From: Sean G M. <sea...@ru...> - 2006-08-26 18:12:35
|
On Saturday 26 August 2006 10:52, Axton Grams wrote: > Sean G Muller wrote: > > On Friday 25 August 2006 21:33, Axton Grams wrote: > >> Michael Stone wrote: > >>> On Wed, Aug 23, 2006 at 11:40:20AM -0400, you wrote: > >>>> What are your thoughts on the additional tables to store the rule, > >>>> generator, generator_tag, and sid-msg.map data? Do you think this > >>>> would be particularly useful information for use in the application > >>>> presentation? > >>> > >>> I'm not sure why the generator table, e.g., isn't referenced from the > >>> signature table. If it's not used by anything I don't see any point to > >>> it. I'm also not sure I understand the references tables; why does the > >>> sig_ref table exist at all, rather than the reference including the s= ig > >>> id directly? > >>> > >>> Mike Stone > >> > >> Lots of updates. Need someone with a critical eye to review what I > >> have. Also, wasn't sure the best way to store ipv6 addresses (128bit), > >> but used a varchar(16). > > > > Would it be possible to covert the hex pairing to decimal and store it = as > > a numeric entry. I have had some problems with ipv4 and ipv6 stored as > > varchar. A quick conversion program can display it in the readable > > format. > > If it is possible, I'm not seeing how. Here are the numeric data types > for mysql: > > TINYINT 1 byte > SMALLINT 2 bytes > MEDIUMINT 3 bytes > INT 4 bytes > BIGINT 8 bytes > floating point (single precision) 4 bytes > floating point (double-precision) 8 bytes > > None of these get close to the 16 bytes(128 bits) needed to store the > address. =20 not in binary but decimal notaion IPv4 dotted decimal =A0 decimal notation 127.0.0.1 =A0=3D> =A0 =A0 =A02130706433 IPv6 Hex paired 1080:0000:0000:0000:0008:8000:200C:417A =3D> Decimal 21932261930451111902915077091070067066 (128 bit decimal notation) bigint 8 bytes large-range integer -9223372036854775808 to 9223372036854775= 807 So can it be stored it in decimal in varchar for sorting purposes? > I was expecting the addresses to be stored in the decimal=20 > notation currently used for the ipv4 addresses, just in a varchar field. > > For postgresql, there is a native data type, inet, that stores ipv4 > and/or ipv6 network addresses/networks. One thing I want to have > persistent is the access mechanism between the various databases. I > wonder if it is possible to create a user defined data type within mysql > that mimics the inet data type within postgresql. > > Axton Grams > > >> Still working on a stored procedure that can be > >> used to synthesize random data sets. > >> > >> There use of an intermediary reference table (was sig_reference, now > >> ref_crossref) should become more clear now. It can allow the two base > >> reference tables (system and reference) to store reference information > >> for any record. > >> > >> Thanks, > >> Axton Grams > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat= =3D121642 > _______________________________________________ > Secureideas-base-devel mailing list > Sec...@li... > https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel |
From: Axton G. <axt...@gm...> - 2006-08-27 01:31:31
|
Sean G Muller wrote: <snipped...> >>> Would it be possible to covert the hex pairing to decimal and store it as >>> a numeric entry. I have had some problems with ipv4 and ipv6 stored as >>> varchar. A quick conversion program can display it in the readable >>> format. >> If it is possible, I'm not seeing how. Here are the numeric data types >> for mysql: >> >> TINYINT 1 byte >> SMALLINT 2 bytes >> MEDIUMINT 3 bytes >> INT 4 bytes >> BIGINT 8 bytes >> floating point (single precision) 4 bytes >> floating point (double-precision) 8 bytes >> >> None of these get close to the 16 bytes(128 bits) needed to store the >> address. > not in binary but decimal notaion > IPv4 > dotted decimal decimal notation > 127.0.0.1 => 2130706433 > IPv6 > Hex paired > 1080:0000:0000:0000:0008:8000:200C:417A => > Decimal > 21932261930451111902915077091070067066 (128 bit decimal notation) > > bigint 8 bytes large-range integer -9223372036854775808 to 9223372036854775807 > > So can it be stored it in decimal in varchar for sorting purposes? > >> I was expecting the addresses to be stored in the decimal >> notation currently used for the ipv4 addresses, just in a varchar field. >> >> For postgresql, there is a native data type, inet, that stores ipv4 >> and/or ipv6 network addresses/networks. One thing I want to have >> persistent is the access mechanism between the various databases. I >> wonder if it is possible to create a user defined data type within mysql >> that mimics the inet data type within postgresql. >> >> Axton Grams To follow up, it seems there are lots of issues storing more than 64 bits of information in a single column; for example, many of the string functions are only capable of functioning against 64-bits (BIN, HEX, CONV, FORMAT). After trying to store and retrieve 128 bit values using mysql, well, I'll let the results speak for themselves: mysql> desc test2; +-------+----------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+----------------+------+-----+---------+-------+ | test1 | varbinary(128) | YES | | NULL | | | test2 | decimal(38,0) | YES | | NULL | | | test3 | blob | YES | | NULL | | +-------+----------------+------+-----+---------+-------+ 3 rows in set (0.00 sec) mysql> insert into test2 (test2) values (340282366920938463463374606431768211455); Query OK, 1 row affected (0.00 sec) mysql> select test2 from test2; +-----------------------------------------+ | test2 | +-----------------------------------------+ | 340282366920938690136965785174738468864 | +-----------------------------------------+ 1 row in set (0.00 sec) mysql> insert into test2 (test2) values (340282366920938111111111111111111111111); Query OK, 1 row affected (0.00 sec) mysql> select test2 from test2; +-----------------------------------------+ | test2 | +-----------------------------------------+ | 340282366920938690136965785174738468864 | | 340282366920938199010851566731636244480 | +-----------------------------------------+ 2 rows in set (0.00 sec) You tell me what the heck is going on there. Same result with the other two data types used in the table. Precision is not accurate. If we store the ipv6 addresses in two bigint columns (one for network and one for host address) at 64 bits each, we can work around these problems, as demonstrated below: mysql> desc test3; +-------+---------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+---------------------+------+-----+---------+-------+ | test | bigint(20) unsigned | YES | | NULL | | +-------+---------------------+------+-----+---------+-------+ 1 row in set (0.00 sec) -- this is the max decimal value for a 64 bits mysql> insert into test3 (test) values (18446744073709551614); Query OK, 1 row affected (0.00 sec) mysql> insert into test3 (test) values (18446744073709551613); Query OK, 1 row affected (0.00 sec) mysql> select * from test3; +----------------------+ | test | +----------------------+ | 18446744073709551614 | | 18446744073709551613 | +----------------------+ 2 rows in set (0.00 sec) What do you think? Should be portable across databases (64-bit unsigned integer), should allow the sorting and grouping as is done with ipv4 today, and does not waste any storage. Could even enable us to group on network and address for ipv6 traffic, which may be useful. Axton Grams |
From: Kevin J. <kjo...@se...> - 2006-08-27 12:10:03
|
On Aug 26, 2006, at 9:31 PM, Axton Grams wrote: > To follow up, it seems there are lots of issues storing more than 64 > bits of information in a single column; for example, many of the > string > functions are only capable of functioning against 64-bits (BIN, HEX, > CONV, FORMAT). After trying to store and retrieve 128 bit values > using > mysql, well, I'll let the results speak for themselves: > > Snip > What do you think? Should be portable across databases (64-bit > unsigned > integer), should allow the sorting and grouping as is done with ipv4 > today, and does not waste any storage. Could even enable us to > group on > network and address for ipv6 traffic, which may be useful. > > Axton Grams Hi- I can't tell you why it is happening, but your solution makes sense. One point here to remember is that Snort does not yet support IPv6, so I while we need to plan ahead, we can't let this hold us up. What you are building looks good. I plan on trying to review it in detail over the next few days and should be able to then discuss it in particulars. Thanks Kevin --------------------- GCIA, GCIH, CEH BASE Project Lead http://base.secureideas.net The next step in IDS analysis! |
From: Axton G. <axt...@gm...> - 2006-08-27 19:28:56
|
Kevin Johnson wrote: > > On Aug 26, 2006, at 9:31 PM, Axton Grams wrote: > >> To follow up, it seems there are lots of issues storing more than 64 >> bits of information in a single column; for example, many of the string >> functions are only capable of functioning against 64-bits (BIN, HEX, >> CONV, FORMAT). After trying to store and retrieve 128 bit values using >> mysql, well, I'll let the results speak for themselves: >> >> Snip > >> What do you think? Should be portable across databases (64-bit unsigned >> integer), should allow the sorting and grouping as is done with ipv4 >> today, and does not waste any storage. Could even enable us to group on >> network and address for ipv6 traffic, which may be useful. >> >> Axton Grams > > Hi- > > I can't tell you why it is happening, but your solution makes sense. > One point > here to remember is that Snort does not yet support IPv6, so I while we need > to plan ahead, we can't let this hold us up. What you are building > looks good. > I plan on trying to review it in detail over the next few days and > should be > able to then discuss it in particulars. > > Thanks > Kevin > --------------------- > GCIA, GCIH, CEH > BASE Project Lead > http://base.secureideas.net > The next step in IDS analysis! > > > No problem. After reading the articles on the US governments adoption of IPv6 by 2008, it seems the roadways need to be laid down now. With other products emerging, it would be bad for snort to lose it's install base because of it's lack of support for IPv6. I've seen some snort patches for ipv6, but most of them look rudimentary at this point (e.g., don't parse headers, limited to packet payload, etc.): http://www.sikurezza.org/ml/12_02/msg00178.html http://www.networksecurityarchive.org/html/Snort-Users/2006-02/msg00006.html http://www.networksecurityarchive.org/html/Snort-Users/2006-02/msg00007.html Many of the changes in the schema will require quiet a bit of work from snort and snort loggers though. I would expect that of the changes some will have to be dropped or phased simply to make the implementation of the changes practical. In some of the archived messages, Marty referenced a rewrite of the snort decoder. What is the status on these changes? This could influence how the data needs to be written to the db (the snort c structures vs. the table layout). Here is the latest drop of the schema, with some supporting data included. Axton Grams -- ------------------------------------------------------------------ -- Revision: 1.4 -- -- Description: This is a redesign of the snortdb schema that -- contains some simplifications, incorporations of newer database -- features, -- * incorporate fk constraints -- * removal of duplicate event_data (more normalized) -- -- Compatability: MySQL 4.0+ -- -- Updates 1.1 -- * removed last_cid from event_sensor table -- * added event_sigclass.sig_class_priority -- * added event_sigclass.sig_class_desc -- * removed event_signature.sig_priority; this is a copy if -- event_sigclass -- * new tables -- * created a rule table to store rule information -- * this is valuable for ref_references -- * event_signature -- * stores sid-msg.map event_data for ref_references -- * generators -- * Snort Generator Ids -- * use db triggers to capture aggregate event_data for large -- datasets -- * created a series of views to access common sets of event_data -- * renamed `schema` to snort_control, since schema is a reserved -- word -- ------------------------------------------------------------------ -- Updates 1.2 -- * split the opt table into two tables, one for ip and one for tcp -- * ip options - opt_ip -- * tcp options - snort_opt_tcp -- * corrected some invalid/missing pk/fk relationships -- * updated the address columns to be a event_data type of -- varchar(16) to allow it to store 128 bits of event_data with -- ipv6 addresses -- * added table for ipv6 headers - event_header_ipv6 -- * checked the format of icmp vs. icmpv6 and they are similar -- enough that the icmp tables can be shared for both protocols -- ------------------------------------------------------------------ -- Updates 1.3 -- * table names cleaned up -- * tables have one of three prefixes to denote their function -- * snort_ snort configuration data -- * ref_ external system reference data -- * event_ data pertaining to the environment(s) being logged -- * generator_tag table linked to events -- * column names cleaned up with a uniform naming style -- * because of the pk/fk constraints, it will probably be necessary -- for snort to check/load the config data at startup -- * added a new column to the control table to store the schema -- data version for this reason -- * comments added -- ------------------------------------------------------------------ -- Updates 1.4 -- * Checked int sizes for header and option tables -- * added column event_header_tcp.e_header_tcp_ecn -- * changed the event_alert table to reference both the generator -- and generator_tag pk values. generator_tag is not always -- present. -- * collapsed the snort_generator and snort_generator_tag tables -- * renamed event_event to event_alert -- * used two BIGINT columns for ipv6 addresses -- * split into two 64 bit values -- * 1st 64 bits - network -- * 2nd 64 bits - host -- * allows access to addresses using decimal, hex, binary data -- types -- * some unpredictable behavior of mysql prevented use of binary/ -- varbinary data types -- To Do: -- * generate stored procedure to synthesize random data -- * useful for development against db before snort and other -- loggers can write to the database -- * create indexes -- * this will need to be driven by app development through the -- process of query refinement and tuning -- ------------------------------------------------------------------ -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- STATIC DATA TABLES/MANAGED BY SCHEMA VERSION -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- ------------------------------------------------------------------ -- TABLE: snort_control -- DESCRIPTION: Stores the schema control information -- COLUMNS: -- s_control_version_schema the version of the schema -- s_control_version_data the version of the schema -- s_control_created time schema was created -- s_control_updated time schema was last updated -- ------------------------------------------------------------------ CREATE TABLE snort_control ( s_control_version_schema INT UNSIGNED NOT NULL, s_control_version_data INT, s_control_created DATETIME NOT NULL, s_control_updated DATETIME NOT NULL, PRIMARY KEY (s_control_version_schema)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_encoding -- DESCRIPTION: the format used to store event_data payload -- COLUMNS: -- s_encoding_type pk: enumeration of snort_encoding type -- 0 - hex -- 1 - base64 -- 2 - ascii -- description text representation of the type enumeration -- ------------------------------------------------------------------ CREATE TABLE snort_encoding ( s_encoding_type TINYINT UNSIGNED NOT NULL, s_encoding_description TEXT NOT NULL, PRIMARY KEY (s_encoding_type)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_detail -- DESCRIPTION: the database output plugin, the level of event_data -- to store -- COLUMNS: -- detail_type pk: enumeration of snort_detail type -- 0 - full -- 1 - fast -- s_detail_description text representation of the detail_type -- ------------------------------------------------------------------ CREATE TABLE snort_detail ( s_detail_type TINYINT UNSIGNED NOT NULL, s_detail_description TEXT NOT NULL, PRIMARY KEY (s_detail_type)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_option_ipv4 -- DESCRIPTION: ipv4 packet options descriptions -- http://www.iana.org/assignments/ip-parameters -- COLUMNS: -- s_option_ipv4_code option number (5 bits) -- s_option_ipv4_copy (1 bit) -- 0 - Do not copy -- 1 - Copy -- s_option_ipv4_class (2 bits) -- 0 - Control -- 1 - Reserved -- 2 - Debugging and measurement -- 3 - Reserved -- s_option_ipv4_value -- s_option_ipv4_name code/name of the option -- s_option_ipv4_desc descriptive name of the option -- s_option_ipv4_ref_id using reference system, references rfcs -- or other docs that describes the option -- ------------------------------------------------------------------ CREATE TABLE snort_option_ipv4 ( s_option_ipv4_code SMALLINT UNSIGNED NOT NULL, s_option_ipv4_copy TINYINT UNSIGNED, s_option_ipv4_class TINYINT UNSIGNED, s_option_ipv4_value TINYINT UNSIGNED, s_option_ipv4_name VARCHAR(10), s_option_ipv4_desc VARCHAR(50), s_option_ipv4_ref_id INT UNSIGNED, PRIMARY KEY (s_option_ipv4_code)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_option_tcp -- DESCRIPTION: tcp packet options descriptions -- http://www.iana.org/assignments/tcp-parameters -- COLUMNS: -- s_option_tcp_code 5 bits option number -- s_option_tcp_length length of the option -- s_option_tcp_desc descriptive name of the option -- s_option_tcp_ref_id using reference system, references rfcs -- or other docs that describes the option -- ------------------------------------------------------------------ CREATE TABLE snort_option_tcp ( s_option_tcp_code SMALLINT UNSIGNED NOT NULL, s_option_tcp_length VARCHAR(5), s_option_tcp_desc VARCHAR(50), s_option_tcp_ref_id INT UNSIGNED, PRIMARY KEY (s_option_tcp_code)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: snort_generator -- DESCRIPTION: preprocessors available in snort -- COLUMNS: -- s_generator_id pk: auto increment -- s_generator_alertid the sub-generator -- s_generator_message descriptive name of the preprocessor -- ------------------------------------------------------------------ CREATE TABLE snort_generator ( s_generator_id INT UNSIGNED NOT NULL, s_generator_alertid INT UNSIGNED NOT NULL, s_generator_message VARCHAR(70) NOT NULL, PRIMARY KEY (s_generator_id,s_generator_alertid)) ENGINE=InnoDB; -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- REFERENCE SYSTEMS / REFERENCE DATA -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- ------------------------------------------------------------------ -- TABLE: ref_system -- DESCRIPTION: a list of the external systems used for reference -- data -- COLUMNS: -- r_system_id pk: auto-increment -- r_system_name descriptive name for the system (e.g., nessus) -- ------------------------------------------------------------------ CREATE TABLE ref_system ( r_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT, r_system_name VARCHAR(20), PRIMARY KEY (r_system_id)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: ref_references -- DESCRIPTION: unique reference within a reference system -- COLUMNS: -- r_references_id pk: auto-increment -- r_system_id fk: ref_system.ref_system_id -- r_references_tag detail data to cross-reference system in -- ref_system -- ------------------------------------------------------------------ CREATE TABLE ref_references ( r_references_id INT UNSIGNED NOT NULL AUTO_INCREMENT, r_system_id INT UNSIGNED NOT NULL, r_references_tag TEXT NOT NULL, PRIMARY KEY (r_references_id), FOREIGN KEY (r_system_id) REFERENCES ref_system(r_system_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: ref_crossref -- DESCRIPTION: association table for reference systems to detail -- records -- COLUMNS: -- r_crossref_id pk: auto-increment -- r_references_id fk: ref_references.r_references_id -- r_crossref_type enumeration for the record type: -- 0 - signature -- 1 - tcp_header -- r_crossref_ext_id weak fk: the pk of the form to which the -- defined reference is associated (e.g., sig_id) -- ------------------------------------------------------------------ CREATE TABLE ref_crossref ( r_crossref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, r_references_id INT UNSIGNED NOT NULL, r_crossref_type TINYINT UNSIGNED NOT NULL, r_crossref_ext_id INT UNSIGNED NOT NULL, PRIMARY KEY(r_crossref_id), FOREIGN KEY (r_references_id) REFERENCES ref_references(r_references_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- EVENT AND RELATED TABLES -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- ------------------------------------------------------------------ -- TABLE: event_sensor -- DESCRIPTION: stores a list of all snort sensors that have logged -- to this -- COLUMNS: -- e_sensor_id pk: event_sensor id -- e_sensor_hostname hostname/ip of the event_sensor -- e_sensor_interface network interface -- e_sensor_filter ignore_bpf -- s_detail_type fk: snort_detail.s_detail_type -- s_encoding_type fk: snort_encoding.s_encoding_type -- ------------------------------------------------------------------ CREATE TABLE event_sensor ( e_sensor_id INT UNSIGNED NOT NULL AUTO_INCREMENT, e_sensor_hostname TEXT, e_sensor_interface TEXT, e_sensor_filter TEXT, s_detail_type TINYINT UNSIGNED, s_encoding_type TINYINT UNSIGNED, PRIMARY KEY (e_sensor_id), FOREIGN KEY (s_encoding_type) REFERENCES snort_encoding(s_encoding_type) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (s_detail_type) REFERENCES snort_detail(s_detail_type) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_sigclass -- DESCRIPTION: stores a list of unique signature classifications -- e.g., 2-attempted-recon. see classification.config -- COLUMNS: -- e_sigclass_id pk: auto-increment -- e_sigclass_name short name of the classification -- e_sigclass_priority priority configured for the classification -- e_sigclass_desc descriptive name fo the classification -- ------------------------------------------------------------------ CREATE TABLE event_sigclass ( e_sigclass_id INT UNSIGNED NOT NULL AUTO_INCREMENT, e_sigclass_name VARCHAR(60) NOT NULL, e_sigclass_priority INT NOT NULL, e_sigclass_desc VARCHAR(60) NOT NULL, PRIMARY KEY (e_sigclass_id)) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_signature -- DESCRIPTION: stores a list of unique signatures logged by all -- sensors. see sid-msg.map -- COLUMNS: -- e_sig_id pk: auto-increment -- e_sig_name -- e_sigclass_id -- e_sig_rev -- e_sig_sid -- e_sig_gid -- ------------------------------------------------------------------ CREATE TABLE event_signature ( e_sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT, e_sig_name VARCHAR(255) NOT NULL, e_sigclass_id INT UNSIGNED NOT NULL, e_sig_rev INT UNSIGNED, e_sig_sid INT UNSIGNED, e_sig_gid INT UNSIGNED, PRIMARY KEY (e_sig_id), FOREIGN KEY (e_sigclass_id) REFERENCES event_sigclass(e_sigclass_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_alert -- DESCRIPTION: alerts -- COLUMNS: -- e_event_id pk: eventid -- e_sensor_id fk: event_sendsor.e_sensor_id -- e_sig_id fk: event_signature.e_sig_id -- s_generator_id fk: snort_generator_tag -- s_generator_alertid fk: snort_generator_tag -- e_event_timestamp the time of the alert -- ------------------------------------------------------------------ CREATE TABLE event_alert ( e_event_id INT UNSIGNED NOT NULL AUTO_INCREMENT, e_sensor_id INT UNSIGNED NOT NULL, e_sig_id INT UNSIGNED NOT NULL, s_generator_id INT UNSIGNED NOT NULL, s_generator_alertid INT UNSIGNED, e_event_timestamp DATETIME NOT NULL, PRIMARY KEY (e_event_id), FOREIGN KEY (e_sensor_id) REFERENCES event_sensor(e_sensor_id) ON UPDATE CASCADE ON DELETE RESTRICT, FOREIGN KEY (e_sig_id) REFERENCES event_signature(e_sig_id) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (s_generator_id,s_generator_alertid) REFERENCES snort_generator(s_generator_id,s_generator_alertid) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_data -- DESCRIPTION: stores packet payload for events -- COLUMNS: -- e_event_id pk: eventid -- fk: event_alert.e_event_id -- e_data_payloadthe packet contents that triggered an alert -- ------------------------------------------------------------------ CREATE TABLE event_data ( e_event_id INT UNSIGNED NOT NULL, e_data_payload TEXT, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_alert(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_ipv4 -- DESCRIPTION: stores ipv4 packet header data for events. -- http://www.networksorcery.com/enp/protocol/ip.htm -- COLUMNS: -- e_event_id pk: eventid -- fk: event_alert.e_event_id -- e_header_ipv4_src 32 bits source ip address -- e_header_ipv4_dst 32 bits destination ip address -- e_header_ipv4_ver 4 bits version -- e_header_ipv4_hlen 4 bits internet header length -- e_header_ipv4_tos 8 bits type of service -- e_header_ipv4_len 16 bits total length -- e_header_ipv4_id 16 bits identification -- e_header_ipv4_flags 3 bits flags -- e_header_ipv4_off 13 bits fragment offset -- e_header_ipv4_ttl 8 bits time to live -- e_header_ipv4_proto 8 bits protocol -- e_header_ipv4_csum 16 bits checksum -- ------------------------------------------------------------------ CREATE TABLE event_header_ipv4 ( e_event_id INT UNSIGNED NOT NULL, e_header_ipv4_src INT UNSIGNED NOT NULL, e_header_ipv4_dst INT UNSIGNED NOT NULL, e_header_ipv4_ver TINYINT UNSIGNED, e_header_ipv4_hlen TINYINT UNSIGNED, e_header_ipv4_tos TINYINT UNSIGNED, e_header_ipv4_len SMALLINT UNSIGNED, e_header_ipv4_id SMALLINT UNSIGNED, e_header_ipv4_flags TINYINT UNSIGNED, e_header_ipv4_off SMALLINT UNSIGNED, e_header_ipv4_ttl TINYINT UNSIGNED, e_header_ipv4_proto TINYINT UNSIGNED NOT NULL, e_header_ipv4_csum SMALLINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_alert(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_ipv6 -- DESCRIPTION: stores ipv6 packet header data for events -- http://www.networksorcery.com/enp/protocol/ipv6.htm -- COLUMNS: -- e_event_id pk: eventid -- fk: event_alert.e_event_id -- e_header_ipv6_src_net 64 bits src ip network -- first 64 bits of address -- e_header_ipv6_src_host 64 bits src ip host -- second 64 bits of address -- e_header_ipv6_dst_net 64 bits destination ip network -- first 64 bits of address -- e_header_ipv6_dst_host 64 bits destination ip host -- second 64 bits of address -- e_header_ipv6_ver 4 bits ip version -- e_header_ipv6_priority 8 bits packet priority -- e_header_ipv6_flow 20 bits QoS management -- e_header_ipv6_length 16 bits payload length -- e_header_ipv6_nextheader 8 bits next header -- e_header_ipv6_hoplimit 8 bits time to live -- ------------------------------------------------------------------ CREATE TABLE event_header_ipv6 ( e_event_id INT UNSIGNED NOT NULL, e_header_ipv6_src_net BIGINT UNSIGNED NOT NULL, e_header_ipv6_src_host BIGINT UNSIGNED NOT NULL, e_header_ipv6_dst_net BIGINT UNSIGNED NOT NULL, e_header_ipv6_dst_host BIGINT UNSIGNED NOT NULL, e_header_ipv6_ver TINYINT UNSIGNED, e_header_ipv6_priority TINYINT UNSIGNED, e_header_ipv6_flow MEDIUMINT UNSIGNED, e_header_ipv6_length SMALLINT UNSIGNED, e_header_ipv6_nextheader TINYINT UNSIGNED, e_header_ipv6_hoplimit TINYINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_alert(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_tcp -- DESCRIPTION: stores tcp packet header data for events -- COLUMNS: -- e_event_id pk: eventid -- fk: event_alert.e_event_id -- e_header_tcp_sport 16 bits source port -- e_header_tcp_dport 16 bits destination port -- e_header_tcp_seq 32 bits sequence -- e_header_tcp_ack 32 bits acknowledgment numbers -- e_header_tcp_off 4 bits data offset -- e_header_tcp_res 3 bits reserved -- e_header_tcp_ecn 3 bits explicit congestion notification -- e_header_tcp_flags 6 bits control bits -- e_header_tcp_win 16 bits window -- e_header_tcp_csum 16 bits checksum -- e_header_tcp_urp 16 bits urgent pointer -- ------------------------------------------------------------------ CREATE TABLE event_header_tcp ( e_event_id INT UNSIGNED NOT NULL, e_header_tcp_sport SMALLINT UNSIGNED NOT NULL, e_header_tcp_dport SMALLINT UNSIGNED NOT NULL, e_header_tcp_seq INT UNSIGNED, e_header_tcp_ack INT UNSIGNED, e_header_tcp_off TINYINT UNSIGNED, e_header_tcp_res TINYINT UNSIGNED, e_header_tcp_ecn TINYINT UNSIGNED, e_header_tcp_ctrl TINYINT UNSIGNED, e_header_tcp_flags TINYINT UNSIGNED NOT NULL, e_header_tcp_win SMALLINT UNSIGNED, e_header_tcp_csum SMALLINT UNSIGNED, e_header_tcp_urp SMALLINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_alert(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_udp -- DESCRIPTION: stores udp packet header data for events -- http://www.networksorcery.com/enp/protocol/udp.htm -- COLUMNS: -- e_event_id pk: eventid -- fk: event_alert.e_event_id -- e_header_udp_sport 16 bits source port -- e_header_udp_dport 16 bits destination port -- e_header_udp_len 16 bits length -- e_header_udp_csum 16 bits checksum -- ------------------------------------------------------------------ CREATE TABLE event_header_udp ( e_event_id INT UNSIGNED NOT NULL, e_header_udp_sport SMALLINT UNSIGNED NOT NULL, e_header_udp_dport SMALLINT UNSIGNED NOT NULL, e_header_udp_len SMALLINT UNSIGNED, e_header_udp_csum SMALLINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_alert(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_header_icmp -- DESCRIPTION: stores icmp and icmpv6 packet header data for events -- icmpv4 and icmpv6 are similar enough to share 1 table -- http://www.networksorcery.com/enp/protocol/icmp.htm -- http://www.networksorcery.com/enp/protocol/icmpv6.htm -- COLUMNS: -- e_event_id: pk: eventid -- fk: event_alert.e_event_id -- e_header_icmp_type 8 bits format of the icmp message -- e_header_icmp_code 8 bits further qualifies the icmp message -- e_header_icmp_csum 16 bits checksum -- e_header_icmp_id 16 bits identifier -- e_header_icmp_seq 16 bits sequence number -- ------------------------------------------------------------------ CREATE TABLE event_header_icmp ( e_event_id INT UNSIGNED NOT NULL, e_header_icmp_type TINYINT UNSIGNED NOT NULL, e_header_icmp_code TINYINT UNSIGNED NOT NULL, e_header_icmp_csum SMALLINT UNSIGNED, e_header_icmp_id SMALLINT UNSIGNED, e_header_icmp_seq SMALLINT UNSIGNED, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_alert(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_option_ipv4 -- DESCRIPTION: ipv4 options for events (ipv6 does not have options) -- COLUMNS: -- e_event_id pk: eventid -- fk: event_alert.e_event_id -- s_option_ipv4_code 5 bit fk: snort_option_ipv4.s_option_ipv4_code -- e_option_opt_len length of the option code and event_data -- e_option_opt_data option data -- ------------------------------------------------------------------ CREATE TABLE event_option_ipv4 ( e_event_id INT UNSIGNED NOT NULL, s_option_ipv4_code SMALLINT UNSIGNED NOT NULL, e_option_opt_length INT, e_option_opt_data TEXT, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_alert(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (s_option_ipv4_code) REFERENCES snort_option_ipv4(s_option_ipv4_code) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ------------------------------------------------------------------ -- TABLE: event_option_tcp -- DESCRIPTION: tcp options for events -- http://www.iana.org/assignments/tcp-parameters -- COLUMNS: -- e_event_id -- s_option_tcp_code pk: eventid -- fk: event_alert.e_event_id -- e_option_tcp_length -- e_option_tcp_data -- ------------------------------------------------------------------ CREATE TABLE event_option_tcp ( e_event_id INT UNSIGNED NOT NULL, s_option_tcp_code SMALLINT UNSIGNED NOT NULL, e_option_tcp_length INT, e_option_tcp_data TEXT, PRIMARY KEY (e_event_id), FOREIGN KEY (e_event_id) REFERENCES event_alert(e_event_id) ON UPDATE CASCADE ON DELETE CASCADE, FOREIGN KEY (s_option_tcp_code) REFERENCES snort_option_tcp(s_option_tcp_code) ON UPDATE CASCADE ON DELETE CASCADE) ENGINE=InnoDB; -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- DATA -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- ------------------------------------------------------------------ -- REQUIRED CONFIG DATA -- ------------------------------------------------------------------ INSERT INTO snort_control (s_control_version_schema,s_control_version_data,s_control_created,s_control_updated) VALUES ('200','200',now(),now()); INSERT INTO snort_encoding (s_encoding_type,s_encoding_description) VALUES (0,'hex'); INSERT INTO snort_encoding (s_encoding_type,s_encoding_description) VALUES (1,'base64'); INSERT INTO snort_encoding (s_encoding_type,s_encoding_description) VALUES (2,'ascii'); INSERT INTO snort_detail (s_detail_type, s_detail_description) VALUES (0,'fast'); INSERT INTO snort_detail (s_detail_type, s_detail_description) VALUES (1,'full'); --------------------------------------------------------------------- -- SUPPORTING/REQUIRED DATA THAT SHOULD BE MAINTAINED BY SNORT, SINCE -- IT CAN CHANGE ON A RECURRING BASIS, DEPENDING ON THE PREPROCESSORS, -- VERSION, ETC. -- derived from gen-msp.map -- ------------------------------------------------------------------ INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (1,1,'snort general alert'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (2,1,'tag: Tagged Packet'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (3,1,'snort dynamic alert'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (100,1,'spp_portscan: Portscan Detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (100,2,'spp_portscan: Portscan Status'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (100,3,'spp_portscan: Portscan Ended'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (101,1,'spp_minfrag: minfrag alert'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (102,1,'http_decode: Unicode Attack'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (102,2,'http_decode: CGI NULL Byte Attack'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (102,3,'http_decode: large method attempted'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (102,4,'http_decode: missing uri'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (102,5,'http_decode: double encoding detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (102,6,'http_decode: illegal hex values detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (102,7,'http_decode: overlong character detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (103,1,'spp_defrag: Fragmentation Overflow Detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (103,2,'spp_defrag: Stale Fragments Discarded'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (104,1,'spp_anomsensor: SPADE Anomaly Threshold Exceeded'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (104,2,'spp_anomsensor: SPADE Anomaly Threshold Adjusted'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (105,1,'spp_bo: Back Orifice Traffic Detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (105,2,'spp_bo: Back Orifice Client Traffic Detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (105,3,'spp_bo: Back Orifice Server Traffic Detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (105,4,'spp_bo: Back Orifice Snort Buffer Attack'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (106,1,'spp_rpc_decode: Fragmented RPC Records'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (106,2,'spp_rpc_decode: Multiple Records in one packet'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (106,3,'spp_rpc_decode: Large RPC Record Fragment'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (106,4,'spp_rpc_decode: Incomplete RPC segment'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (106,5,'spp_rpc_decode: Zero-length RPC Fragment'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (110,1,'spp_unidecode: CGI NULL Attack'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (110,2,'spp_unidecode: Directory Traversal'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (110,3,'spp_unidecode: Unknown Mapping'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (110,4,'spp_unidecode: Invalid Mapping'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,1,'spp_stream4: Stealth Activity Detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,2,'spp_stream4: Evasive Reset Packet'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,3,'spp_stream4: Retransmission'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,4,'spp_stream4: Window Violation'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,5,'spp_stream4: Data on SYN Packet'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,6,'spp_stream4: Full XMAS Stealth Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,7,'spp_stream4: SAPU Stealth Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,8,'spp_stream4: FIN Stealth Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,9,'spp_stream4: NULL Stealth Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,10,'spp_stream4: NMAP XMAS Stealth Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,11,'spp_stream4: VECNA Stealth Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,12,'spp_stream4: NMAP Fingerprint Stateful Detection'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,13,'spp_stream4: SYN FIN Stealth Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,14,'spp_stream4: TCP forward overlap detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,15,'spp_stream4: TTL Evasion attempt'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,16,'spp_stream4: Evasive retransmitited data attempt'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,17,'spp_stream4: Evasive retransmitited data with the data split attempt'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,18,'spp_stream4: Multiple acked'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,19,'spp_stream4: Shifting to Emegency Session Mode'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,20,'spp_stream4: Shifting to Suspend Mode'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,21,'spp_stream4: TCP Timestamp option has value of zero'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,22,'spp_stream4: Too many overlapping TCP packets'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (111,23,'spp_stream4: Packet in established TCP stream missing ACK'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (112,1,'spp_arpspoof: Directed ARP Request'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (112,2,'spp_arpspoof: Etherframe ARP Mismatch SRC'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (112,3,'spp_arpspoof: Etherframe ARP Mismatch DST'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (112,4,'spp_arpspoof: ARP Cache Overwrite Attack'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,1,'spp_frag2: Oversized Frag'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,2,'spp_frag2: Teardrop/Fragmentation Overlap Attack'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,3,'spp_frag2: TTL evasion detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,4,'spp_frag2: overlap detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,5,'spp_frag2: Duplicate first fragments'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,6,'spp_frag2: memcap exceeded'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,7,'spp_frag2: Out of order fragments'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,8,'spp_frag2: IP Options on Fragmented Packet'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,9,'spp_frag2: Shifting to Emegency Session Mode'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (113,10,'spp_frag2: Shifting to Suspend Mode'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (114,1,'spp_fnord: Possible Mutated GENERIC NOP Sled detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (114,2,'spp_fnord: Possible Mutated IA32 NOP Sled detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (114,3,'spp_fnord: Possible Mutated HPPA NOP Sled detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (114,4,'spp_fnord: Possible Mutated SPARC NOP Sled detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (115,1,'spp_asn1: Indefinite ASN.1 length encoding'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (115,2,'spp_asn1: Invalid ASN.1 length encoding'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (115,3,'spp_asn1: ASN.1 oversized item, possible overflow'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (115,4,'spp_asn1: ASN.1 spec violation, possible overflow'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (115,5,'spp_asn1: ASN.1 Attack: Datum length > packet length'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,1,'snort_decoder: Not IPv4 datagram!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,2,'snort_decoder: WARNING: Not IPv4 datagram!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,3,'snort_decoder: WARNING: hlen < IP_HEADER_LEN!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,4,'snort_decoder: Bad IPv4 Options'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,5,'snort_decoder: Truncated IPv4 Options'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,45,'snort_decoder: TCP packet len is smaller than 20 bytes!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,46,'snort_decoder: TCP Data Offset is less than 5!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,47,'snort_decoder: TCP Data Offset is longer than payload!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,54,'snort_decoder: Tcp Options found with bad lengths'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,55,'snort_decoder: Truncated Tcp Options'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,56,'snort_decoder: T/TCP Detected'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,57,'snort_decoder: Obsolete TCP options'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,58,'snort_decoder: Experimental TCP options'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,95,'snort_decoder: Truncated UDP Header!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,96,'snort_decoder: Invalid UDP header, length field < 8'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,97,'snort_decoder: Short UDP packet, length field > payload length'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,105,'snort_decoder: ICMP Header Truncated!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,106,'snort_decoder: ICMP Timestamp Header Truncated!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,107,'snort_decoder: ICMP Address Header Truncated!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,108,'snort_decoder: Unknown Datagram decoding problem!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,109,'snort_decoder: Truncated ARP Packet!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,110,'snort_decoder: Truncated EAP Header!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,111,'snort_decoder: EAP Key Truncated!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,112,'snort_decoder: EAP Header Truncated!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,120,'snort_decoder: WARNING: Bad PPPOE frame detected!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,130,'snort_decoder: WARNING: Bad VLAN Frame!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,131,'snort_decoder: WARNING: Bad LLC header!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,132,'snort_decoder: WARNING: Bad Extra LLC Info!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,133,'snort_decoder: WARNING: Bad 802.11 LLC header!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,134,'snort_decoder: WARNING: Bad 802.11 Extra LLC Info!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,140,'snort_decoder: WARNING: Bad Token Ring Header!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,141,'snort_decoder: WARNING: Bad Token Ring ETHLLC Header!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,142,'snort_decoder: WARNING: Bad Token Ring MRLEN Header!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,143,'snort_decoder: WARNING: Bad Token Ring MR Header!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,150,'snort_decoder: Bad Traffic Loopback IP!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (116,151,'snort_decoder: Bad Traffic Same Src/Dst IP!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (117,1,'spp_portscan2: Portscan detected!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (118,1,'spp_conversation: Bad IP protocol!'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,1,'http_inspect: ASCII ENCODING'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,2,'http_inspect: DOUBLE DECODING ATTACK'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,3,'http_inspect: U ENCODING'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,4,'http_inspect: BARE BYTE UNICODE ENCODING'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,5,'http_inspect: BASE36 ENCODING'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,6,'http_inspect: UTF-8 ENCODING'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,7,'http_inspect: IIS UNICODE CODEPOINT ENCODING'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,8,'http_inspect: MULTI_SLASH ENCODING'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,9,'http_inspect: IIS BACKSLASH EVASION'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,10,'http_inspect: SELF DIRECTORY TRAVERSAL'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,11,'http_inspect: DIRECTORY TRAVERSAL'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,12,'http_inspect: APACHE WHITESPACE (TAB)'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,13,'http_inspect: NON-RFC HTTP DELIMITER'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,14,'http_inspect: NON-RFC DEFINED CHAR'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,15,'http_inspect: OVERSIZE REQUEST-URI DIRECTORY'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,16,'http_inspect: OVERSIZE CHUNK ENCODING'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,17,'http_inspect: UNAUTHORIZED PROXY USE DETECTED'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (119,18,'http_inspect: WEBROOT DIRECTORY TRAVERSAL'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (120,1,'http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (121,1,'flow-portscan: Fixed Scale Scanner Limit Exceeded'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (121,2,'flow-portscan: Sliding Scale Scanner Limit Exceeded'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (121,3,'flow-portscan: Fixed Scale Talker Limit Exceeded'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (121,4,'flow-portscan: Sliding Scale Talker Limit Exceeded'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,1,'portscan: TCP Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,2,'portscan: TCP Decoy Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,3,'portscan: TCP Portsweep'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,4,'portscan: TCP Distributed Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,5,'portscan: TCP Filtered Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,6,'portscan: TCP Filtered Decoy Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,7,'portscan: TCP Filtered Portsweep'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,8,'portscan: TCP Filtered Distributed Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,9,'portscan: IP Protocol Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,10,'portscan: IP Decoy Protocol Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,11,'portscan: IP Protocol Sweep'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,12,'portscan: IP Distributed Protocol Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,13,'portscan: IP Filtered Protocol Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,14,'portscan: IP Filtered Decoy Protocol Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,15,'portscan: IP Filtered Protocol Sweep'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,16,'portscan: IP Filtered Distributed Protocol Scan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,17,'portscan: UDP Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,18,'portscan: UDP Decoy Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,19,'portscan: UDP Portsweep'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,20,'portscan: UDP Distributed Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,21,'portscan: UDP Filtered Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,22,'portscan: UDP Filtered Decoy Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,23,'portscan: UDP Filtered Portsweep'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,24,'portscan: UDP Filtered Distributed Portscan'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,25,'portscan: ICMP Sweep'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,26,'portscan: ICMP Filtered Sweep'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (122,27,'portscan: Open Port'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (123,1,'frag3: IP Options on fragmented packet'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (123,2,'frag3: Teardrop attack'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (123,3,'frag3: Short fragment, possible DoS attempt'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (123,4,'frag3: Fragment packet ends after defragmented packet'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (123,5,'frag3: Zero-byte fragment'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (123,6,'frag3: Bad fragment size, packet size is negative'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (123,7,'frag3: Bad fragment size, packet size is greater than 65536'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (123,8,'frag3: Fragmentation overlap'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (124,1,'smtp: Attempted command buffer overflow'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (124,2,'smtp: Attempted data header buffer overflow'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (124,3,'smtp: Attempted response buffer overflow'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (124,4,'smtp: Attempted specific command buffer overflow'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (124,5,'smtp: Unknown command'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (124,6,'smtp: Illegal command'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (125,1,'ftp_pp: Telnet command on FTP command channel'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (125,2,'ftp_pp: Invalid FTP command'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (125,3,'ftp_pp: FTP parameter length overflow'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (125,4,'ftp_pp: FTP malformed parameter'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (125,5,'ftp_pp: Possible string format attempt in FTP command/parameter'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (125,6,'ftp_pp: FTP response length overflow'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (125,7,'ftp_pp: FTP command channel encrypted'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (125,8,'ftp_pp: FTP bounce attack'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (126,1,'telnet_pp: Telnet consecutive AYT overflow'); INSERT INTO snort_generator(s_generator_id,s_generator_alertid,s_generator_message) VALUES (126,2,'telnet_pp: Telnet data encrypted'); -- It is necessary to insert the empty records due to the fk constraint -- If an invalid packet is sent, we do not want to prevent it from being -- logged. INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (0,0,0,0,'EOOL','End of Options List',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (0,0,1,1,'NOP','No Operation',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,0,2,130,'SEC','Security',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,0,3,131,'LSR','Loose Source Route',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (0,2,4,68,'TS','Time Stamp',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,0,5,133,'E-SEC','Extended Security',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,0,6,134,'CIPSO','Commercial Security',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (0,0,7,7,'RR','Record Route',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,0,8,136,'SID','Stream ID',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,0,9,137,'SSR','Strict Source Route',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (0,0,10,10,'ZSU','Experimental Measurement',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (0,0,11,11,'MTUP','MTU Probe',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (0,0,12,12,'MTUR','MTU Reply',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,2,13,205,'FINN','Experimental Flow Control',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,0,14,142,'VISA','Expermental Access Control',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (0,0,15,15,'ENCODE','???',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,0,16,144,'IMITD','IMI Traffic Descriptor',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_copy,s_option_ipv4_class,s_option_ipv4_code,s_option_ipv4_value,s_option_ipv4_name,s_option_ipv4_desc,s_option_ipv4_ref_id) VALUES (1,0,17,145,'EIP','Extended Internet Protocol',null); INSERT INTO snort_option_ipv4 (s_option_ipv4_cop... [truncated message content] |
From: Axton G. <axt...@gm...> - 2006-08-28 02:45:56
|
Kevin Johnson wrote: > > On Aug 26, 2006, at 9:31 PM, Axton Grams wrote: > >> To follow up, it seems there are lots of issues storing more than 64 >> bits of information in a single column; for example, many of the string >> functions are only capable of functioning against 64-bits (BIN, HEX, >> CONV, FORMAT). After trying to store and retrieve 128 bit values using >> mysql, well, I'll let the results speak for themselves: >> >> Snip > >> What do you think? Should be portable across databases (64-bit unsigned >> integer), should allow the sorting and grouping as is done with ipv4 >> today, and does not waste any storage. Could even enable us to group on >> network and address for ipv6 traffic, which may be useful. >> >> Axton Grams > > Hi- > > I can't tell you why it is happening, but your solution makes sense. > One point > here to remember is that Snort does not yet support IPv6, so I while we need > to plan ahead, we can't let this hold us up. What you are building > looks good. > I plan on trying to review it in detail over the next few days and > should be > able to then discuss it in particulars. > > Thanks > Kevin > --------------------- > GCIA, GCIH, CEH > BASE Project Lead > http://base.secureideas.net > The next step in IDS analysis! > > > Focusing on the things that are available in snort, would it be useful to log all the different types of protocols that decode.h handles? Currently, tcp, ipv4, udp, and icmp headers/options (where applicable) are all logged to separate tables, but there are many others that decode.h defines (asterisk denotes the types that are decoded and logged independently of the payload today): typedef struct _Trh_llc typedef struct _Trh_mr typedef struct _Trh_hdr typedef struct _Fddi_hdr typedef struct _Fddi_llc_saps typedef struct _Fddi_llc_sna typedef struct _Fddi_llc_other typedef struct _Fddi_llc_iparp typedef struct _SLLHdr { typedef struct _OldPflog_hdr typedef struct _Pflog_hdr typedef struct _VlanTagHdr typedef struct _EthLlc typedef struct _EthLlcOther typedef struct _EtherHdr typedef struct _WifiHdr * typedef struct _IPHdr * typedef struct _TCPHdr * typedef struct _UDPHdr * typedef struct _ICMPHdr typedef struct _ARPHdr typedef struct _EtherARP typedef struct _EtherEapol typedef struct _EAPHdr typedef struct _EapolKey * typedef struct _Options typedef struct _PPPoEHdr typedef struct _PPPoE_Tag typedef struct _HttpUri typedef struct _Packet typedef struct s_pseudoheader typedef struct _DecoderFlags typedef struct _PortList Seems like some of these would be useful for presentation, similar to the way the tcp header data is stored, and subsequently rendered, for tcp packets. An example: /* * Wireless Header (IEEE 802.11) */ typedef struct _WifiHdr { u_int16_t frame_control; u_int16_t duration_id; u_int8_t addr1[6]; u_int8_t addr2[6]; u_int8_t addr3[6]; u_int16_t seq_control; u_int8_t addr4[6]; } WifiHdr; To illustrate the value, the first 8 bits of the frame control value defines the following: b0-1 protocol version b2-3 type (management, control, data, etc.) b4-7 subtype (association request, authentication) typedef struct _ARPHdr { u_int16_t ar_hrd; /* format of hardware address */ u_int16_t ar_pro; /* format of protocol address */ u_int8_t ar_hln; /* length of hardware address */ u_int8_t ar_pln; /* length of protocol address */ u_int16_t ar_op; /* ARP opcode (command) */ } ARPHdr; Axton Grams |
From: Michael S. <ms...@ma...> - 2006-11-30 13:13:00
|
On Sat, Aug 26, 2006 at 10:52:15AM -0400, Axton Grams wrote: >> Would it be possible to covert the hex pairing to decimal and store it as a >> numeric entry. I have had some problems with ipv4 and ipv6 stored as varchar. >> A quick conversion program can display it in the readable format. >> >If it is possible, I'm not seeing how. Here are the numeric data types >for mysql: The database schema for something that hasn't even been implemented yet in snort should certainly not be constrained by the limitations of one database. It is better to not worry about ipv6 than to get locked into a bad approach. Mike Stone |
From: GaRaGeD S. <ga...@gm...> - 2006-11-30 14:16:54
|
On 11/30/06, Michael Stone <ms...@ma...> wrote: > > On Sat, Aug 26, 2006 at 10:52:15AM -0400, Axton Grams wrote: > >> Would it be possible to covert the hex pairing to decimal and store it > as a > >> numeric entry. I have had some problems with ipv4 and ipv6 stored as > varchar. > >> A quick conversion program can display it in the readable format. > >> > >If it is possible, I'm not seeing how. Here are the numeric data types > >for mysql: > > The database schema for something that hasn't even been implemented yet > in snort should certainly not be constrained by the limitations of one > database. It is better to not worry about ipv6 than to get locked into a > bad approach. I agree with Mike We should try to design a portable/flexible system as much as we can, if something new is implemented in snort then a good system will handle it easy enough (i hope :). As soon as we have the plugin I will start working on the templating, but I'm not sure which branch should I take, currently the work is done over the "official" branch, shouldn't we be starting from scratch to be able to design it better ? Max -- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ O- M-- V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ z** ------END GEEK CODE BLOCK------ |
From: Kevin J. <kjo...@se...> - 2006-11-30 14:26:17
Attachments:
PGP.sig
|
On Nov 30, 2006, at 8:51 AM, GaRaGeD Style wrote: > snip..... > As soon as we have the plugin I will start working on the > templating, but I'm not sure which branch should I take, currently > the work is done over the "official" branch, shouldn't we be > starting from scratch to be able to design it better ? > The branch would be the base project in CVS. The base-php4 is the current 1.x code train and base will be the 2.x code train. That way we get a clean slate to run with... Kevin Kevin Johnson GCIA, GCIH, CISSP, CEH Principal Consultant Secure Ideas http://www.secureideas.net |
From: Kevin J. <kjo...@se...> - 2006-11-30 14:24:44
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Nov 30, 2006, at 8:12 AM, Michael Stone wrote: > On Sat, Aug 26, 2006 at 10:52:15AM -0400, Axton Grams wrote: >>> Would it be possible to covert the hex pairing to decimal and >>> store it as a >>> numeric entry. I have had some problems with ipv4 and ipv6 stored >>> as varchar. >>> A quick conversion program can display it in the readable format. >>> >> If it is possible, I'm not seeing how. Here are the numeric data >> types >> for mysql: > > The database schema for something that hasn't even been implemented > yet > in snort should certainly not be constrained by the limitations of one > database. It is better to not worry about ipv6 than to get locked > into a > bad approach. > I agree completely. Lets not worry about IPv6 and just make sure that when Snort supports it, we can go look at it. Kevin Kevin Johnson GCIA, GCIH, CISSP, CEH Principal Consultant Secure Ideas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFbuml9gxbZzzrqlsRAt59AJ9J9tEErVNGIQHR+iwvw327IG8G2wCdHfjH iUUyGn1MrMxnZO3CnPOW8PA= =LV1B -----END PGP SIGNATURE----- |
From: Axton <axt...@gm...> - 2006-12-01 00:56:55
|
This works for me. We can cross the ipv6 bridge when we come to it. Worst case, a db conversion script will be required to juggle data/alter tables to handle the additional/differently formatted data. In thinking about the various header types that are decoded by snort, it seems that the most logical place to reproduce the decode activity would be in the logging mechanism. This allows a few things to happen: - snort is not slowed down by trying to write additional data through the unified logger - the header data is available in the db for the base to query - base does not have the additional code execution burden of parsing the packets - data sanitization can occurr before the data is ever presented in the web application Axton Grams On 11/30/06, Kevin Johnson <kjo...@se...> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Nov 30, 2006, at 8:12 AM, Michael Stone wrote: > > > On Sat, Aug 26, 2006 at 10:52:15AM -0400, Axton Grams wrote: > >>> Would it be possible to covert the hex pairing to decimal and > >>> store it as a > >>> numeric entry. I have had some problems with ipv4 and ipv6 stored > >>> as varchar. > >>> A quick conversion program can display it in the readable format. > >>> > >> If it is possible, I'm not seeing how. Here are the numeric data > >> types > >> for mysql: > > > > The database schema for something that hasn't even been implemented > > yet > > in snort should certainly not be constrained by the limitations of one > > database. It is better to not worry about ipv6 than to get locked > > into a > > bad approach. > > > > I agree completely. Lets not worry about IPv6 and just make sure > that when Snort > supports it, we can go look at it. > > Kevin > > Kevin Johnson GCIA, GCIH, CISSP, CEH > Principal Consultant > Secure Ideas > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (Darwin) > > iD8DBQFFbuml9gxbZzzrqlsRAt59AJ9J9tEErVNGIQHR+iwvw327IG8G2wCdHfjH > iUUyGn1MrMxnZO3CnPOW8PA= > =LV1B > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Secureideas-base-devel mailing list > Sec...@li... > https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel > |
From: Jason <sec...@br...> - 2006-12-01 03:38:25
|
What decodes would be most interesting? I would like to see the printable string data stored in addition to raw payload. I would be happy to make a db output for the new schema when it is complete using SnortUnified.pm Axton wrote: > This works for me. We can cross the ipv6 bridge when we come to it. > Worst case, a db conversion script will be required to juggle data/alter > tables to handle the additional/differently formatted data. > > In thinking about the various header types that are decoded by snort, it > seems that the most logical place to reproduce the decode activity would > be in the logging mechanism. This allows a few things to happen: > - snort is not slowed down by trying to write additional data through > the unified logger > - the header data is available in the db for the base to query > - base does not have the additional code execution burden of parsing the > packets > - data sanitization can occurr before the data is ever presented in the > web application > > Axton Grams > > On 11/30/06, *Kevin Johnson* <kjo...@se... > <mailto:kjo...@se...>> wrote: > > On Nov 30, 2006, at 8:12 AM, Michael Stone wrote: > >> On Sat, Aug 26, 2006 at 10:52:15AM -0400, Axton Grams wrote: >>>> Would it be possible to covert the hex pairing to decimal and >>>> store it as a >>>> numeric entry. I have had some problems with ipv4 and ipv6 stored >>>> as varchar. >>>> A quick conversion program can display it in the readable format. >>>> >>> If it is possible, I'm not seeing how. Here are the numeric data >>> types >>> for mysql: > >> The database schema for something that hasn't even been implemented >> yet >> in snort should certainly not be constrained by the limitations of one >> database. It is better to not worry about ipv6 than to get locked >> into a >> bad approach. > > > I agree completely. Lets not worry about IPv6 and just make sure > that when Snort > supports it, we can go look at it. > > Kevin > > Kevin Johnson GCIA, GCIH, CISSP, CEH > Principal Consultant > Secure Ideas > > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________ Secureideas-base-devel mailing list Sec...@li... <mailto:Sec...@li...> https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel > ------------------------------------------------------------------------ > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > _______________________________________________ > Secureideas-base-devel mailing list > Sec...@li... > https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel |