RE: [Sguil-devel] Database schema changes
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
RE: [Sguil-devel] Database schema changes
|
From: Steve H. <sha...@33...> - 2003-05-06 18:48:39
|
I am not saying to change the sensor to a sid, I am saying to change the ip address of a sensor in the sensor table from TEXT to INT. > > Well, if you change the sensor to a sid, then you also have > to modify sguild. spp_portscan only knows the 'sensorname' > because it is provided as an arg to the preproc on init > (preprocessor portscan: $HOME_NET 4 3 </path/to/portscandir> > <sensorname>). So, sguild would have to prepend the sensorID > to each line in the portscan file prior to loading it into > the DB (look at proc RcvSsnFile in sguild, as we are > prepending the sid there). This would probably better > handled by creating a sensor->sid map on init rather than > querying the DB for the info constantly. spp_portscan would > also need to be modifed to not output the sensorname when it > writes each line. > > I guess we need to decide whether the space savings of using > sid vs sensorname is worth the CPU involved in prepending the > sid to each line to be loaded in the DB. > > Bammkkkk > > On Tue, May 06, 2003 at 12:24:44PM -0500, Steve Halligan wrote: > > ok. Although it is a teeny tiny table, can I change the sensor one? > > Just to be consistant. > > > > > -----Original Message----- > > > From: Bamm Visscher [mailto:ba...@sa...] > > > Sent: Tuesday, May 06, 2003 12:21 PM > > > To: sgu...@li... > > > Cc: sha...@33... > > > Subject: Re: [Sguil-devel] Database schema changes > > > > > > > > > Lets leave the portscan stuff as is for now. To change them > > > would require a mode to the spp_portscan code. > > > > > > Bammkkkk > > > > > ------------------------------------------------------- > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara > The only event dedicated to issues related to Linux > enterprise solutions > www.enterpriselinuxforum.com > > _______________________________________________ > Sguil-devel mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-devel > |