On 12/3/06, Kevin Johnson <kjohnson@secureideas.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi-

Ok, I am in the process of trying to morph the schema and rewrite the
db output
plugin so that we can get some populated databases to test against.
But I have some
questions....

What are the snort_option_ipv4 and snort_option_tcp tables for?  I
see where they
relate over to the other tables but I don't see where they would get
populated and
what we would use them for?  I am assuming that I am just missing
something?

Thanks
Kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD4DBQFFc3+J9gxbZzzrqlsRAj4TAKCDHkIaGZH7bty8tHdtVqXeryUCcQCY7tL6
8WRgxtAFD5X7pVydpCXRWw==
=Qb/O
-----END PGP SIGNATURE-----

The tables that are prefixed with "snort_option_" are used to store reference data.  Reference data is defined as "data provided by an rfc or ietf group" and is mostly static in content. 

The usefulness of this data includes:
- during the presentation of data in applications (e.g., base), reference data can be provided in addition to actual raw data (packet).  In the case of the snort_option_ipv4, let us say that tpc header options 1 through 24 are set to various values; this supporting data will allow the application to present a code/name for each of the header options.
- during the querying of data, say you want to search for tcp packets that have the 'Security' header option set (option number 2), the application can use the data in the supporing tables to drive menus that present "code-name" values.  Just friendlier to look at.

In the examples presented above, the snort_option_ipv4 optiosn were used.  A reference of the various values can be found at http://www.iana.org/assignments/ip-parameters .

The concept is to use store common data that can drive the presentation of information and assist in the manipulation of information (searching, etc.)

Axton Grams