ACID: Database (v100-103) ER Diagram
Snort (and other devices) log to database with the following schema:
Snort 1.8 (DB v100-103) and ACID 0.9.6b10 Database ER diagram
| Table | Component | Description |
| schema | Snort | Self-documented information about the database |
| sensor | Snort | Sensor name |
| event | Snort | Meta-data about the detected alert |
| signature | Snort | Normalized listing of alert/signature names, priorities, and revision IDs |
| sig_reference | Snort | Reference information for a signature |
| reference | Snort | Reference IDs for a signature |
| reference_system | Snort | (lookup table) Reference system list |
| sig_class | Snort | Normalized listing of alert/signature classifications |
| data | Snort | Contents of packet payload |
| iphdr | Snort | IP protocol fields |
| tcphdr | Snort | TCP protocol fields |
| udphdr | Snort | UDP protocol fields |
| icmphdr | Snort | ICMP protocol fields |
| opt | Snort | IP and TCP options |
detail |
Snort | (lookup table) Level of detail with which a sensor is logging |
encoding |
Snort | (lookup table) Type of encoding used for the packet payload |
protocols |
SnortDB extra | (lookup table) Layer-4 (IP encoded) protocol list |
services |
SnortDB extra | (lookup table) TCP and UDP service list |
flags |
SnortDB extra | (lookup table) TCP flag list |
| acid_ag | ACID | Meta-data for alert groups |
| acid_ag_alert | ACID | Alerts in each alert group |
| acid_ip_cache | ACID | Cached DNS and whois information |
schema
+-------+------------------+------+-----+---------------------+----------------------------------------+ | Field | Type | Null | Key | Default | Description | +-------+------------------+------+-----+---------------------+----------------------------------------+ | vseq | int(10) unsigned | | PRI | 0 | Database schema ID number (e.g. '102') | | ctime | datetime | | | 0000-00-00 00:00:00 | Timestamp of database creation time | +-------+------------------+------+-----+---------------------+----------------------------------------+
sensor
+-----------+------------------+------+-----+---------+----------------------------------------------+ | Field | Type | Null | Key | Default | Description | +-----------+------------------+------+-----+---------+----------------------------------------------+ | sid | int(10) unsigned | | PRI | NULL | Sensor ID | | hostname | text | YES | | NULL | Hostname of the sensor (IP if can't qualify) | | interface | text | YES | | NULL | Network interface (e.g. eth0) | | filter | text | YES | | NULL | BPF filter | | detail | tinyint(4) | YES | | NULL | Detail level of the logging | | encoding | tinyint(4) | YES | | NULL | Encoding format of the payload | +-----------+------------------+------+-----+---------+----------------------------------------------+
event
+-----------+------------------+------+-----+---------------------+----------------------------------------+ | Field | Type | Null | Key | Default | Description | +-----------+------------------+------+-----+---------------------+----------------------------------------+ | sid | int(10) unsigned | | PRI | 0 | Sensor ID | | cid | int(10) unsigned | | PRI | 0 | Event ID | | signature | int(10) unsigned | | MUL | 0 | Signature ID | | timestamp | datetime | | MUL | 0000-00-00 00:00:00 | Timestamp of when the event was logged | +-----------+------------------+------+-----+---------------------+----------------------------------------+
signature
+--------------+------------------+------+-----+---------+-----------------------+ | Field | Type | Null | Key | Default | Description | +--------------+------------------+------+-----+---------+-----------------------+ | sig_id | int(10) unsigned | | PRI | NULL | Signature ID | | sig_name | varchar(255) | | MUL | | Signature Name | | sig_class_id | int(10) unsigned | YES | MUL | NULL | Classification ID | | sig_priority | int(10) unsigned | YES | | NULL | Priority | | sig_rev | int(10) unsigned | YES | | NULL | Revision number | | sig_sid | int(10) unsigned | YES | | NULL | Internal signature ID | +--------------+------------------+------+-----+---------+-----------------------+
sig_reference
+---------+------------------+------+-----+---------+-------------------------------------------------+ | Field | Type | Null | Key | Default | Description | +---------+------------------+------+-----+---------+-------------------------------------------------+ | sig_id | int(10) unsigned | | PRI | 0 | Signature ID | | ref_seq | int(10) unsigned | | PRI | 0 | Reference sequence number (multiple references) | | ref_id | int(10) unsigned | | | 0 | Reference ID | +---------+------------------+------+-----+---------+-------------------------------------------------+
reference
+---------------+------------------+------+-----+---------+--------------------------------------+ | Field | Type | Null | Key | Default | Description | +---------------+------------------+------+-----+---------+--------------------------------------+ | ref_id | int(10) unsigned | | PRI | NULL | Reference ID | | ref_system_id | int(10) unsigned | | | 0 | Reference system ID | | ref_tag | varchar(20) | | | | Reference tag (e.g. CVE-CAN-2001-01) | +---------------+------------------+------+-----+---------+--------------------------------------+
reference_system
+-----------------+------------------+------+-----+---------+----------------------------------+ | Field | Type | Null | Key | Default | Description | +-----------------+------------------+------+-----+---------+----------------------------------+ | ref_system_id | int(10) unsigned | | PRI | NULL | Reference system ID | | ref_system_name | varchar(20) | YES | | NULL | Reference system name (e.g. CVE) | +-----------------+------------------+------+-----+---------+----------------------------------+
sig_class
+----------------+------------------+------+-----+---------+----------------------------------+ | Field | Type | Null | Key | Default | Description | +----------------+------------------+------+-----+---------+----------------------------------+ | sig_class_id | int(10) unsigned | | PRI | NULL | Signature classification ID | | sig_class_name | varchar(60) | | MUL | | Classification name (e.g. recon) | +----------------+------------------+------+-----+---------+----------------------------------+
data
+--------------+------------------+------+-----+---------+-----------------------------------------------------+ | Field | Type | Null | Key | Default | Description | +--------------+------------------+------+-----+---------+-----------------------------------------------------+ | sid | int(10) unsigned | | PRI | 0 | Sensor ID | | cid | int(10) unsigned | | PRI | 0 | Event ID | | data_payload | text | YES | | NULL | Packet payload encoded according to sensor.encoding | +--------------+------------------+------+-----+---------+-----------------------------------------------------+
iphdr
+----------+----------------------+------+-----+---------+----------------------------------------------+ | Field | Type | Null | Key | Default | Description | +----------+----------------------+------+-----+---------+----------------------------------------------+ | sid | int(10) unsigned | | PRI | 0 | Sensor ID | | cid | int(10) unsigned | | PRI | 0 | Event ID | | ip_src | int(10) unsigned | | MUL | 0 | Source IP address (32-bit unsigned int) | | ip_dst | int(10) unsigned | | MUL | 0 | Destination IP address (32-bit unsigned int) | | ip_ver | tinyint(3) unsigned | YES | | NULL | IP version | | ip_hlen | tinyint(3) unsigned | YES | | NULL | IP Header length | | ip_tos | tinyint(3) unsigned | YES | | NULL | IP type-of-service | | ip_len | smallint(5) unsigned | YES | | NULL | IP datagram length | | ip_id | smallint(5) unsigned | YES | | NULL | IP ID | | ip_flags | tinyint(3) unsigned | YES | | NULL | IP flags | | ip_off | smallint(5) unsigned | YES | | NULL | IP fragment offset | | ip_ttl | tinyint(3) unsigned | YES | | NULL | IP time-to-live | | ip_proto | tinyint(3) unsigned | | | 0 | IP protocol | | ip_csum | smallint(5) unsigned | YES | | NULL | IP checksum | +----------+----------------------+------+-----+---------+----------------------------------------------+
tcphdr
+-----------+----------------------+------+-----+---------+----------------------+ | Field | Type | Null | Key | Default | Description | +-----------+----------------------+------+-----+---------+----------------------+ | sid | int(10) unsigned | | PRI | 0 | Sensor ID | | cid | int(10) unsigned | | PRI | 0 | Event ID | | tcp_sport | smallint(5) unsigned | | MUL | 0 | TCP source port | | tcp_dport | smallint(5) unsigned | | MUL | 0 | TCP destination port | | tcp_seq | int(10) unsigned | YES | | NULL | TCP sequence number | | tcp_ack | int(10) unsigned | YES | | NULL | TCP ACK number | | tcp_off | tinyint(3) unsigned | YES | | NULL | TCP offset | | tcp_res | tinyint(3) unsigned | YES | | NULL | TCP reserved | | tcp_flags | tinyint(3) unsigned | | MUL | 0 | TCP flags | | tcp_win | smallint(5) unsigned | YES | | NULL | TCP window | | tcp_csum | smallint(5) unsigned | YES | | NULL | TCP checksum | | tcp_urp | smallint(5) unsigned | YES | | NULL | TCP urgent pointer | +-----------+----------------------+------+-----+---------+----------------------+
udphdr
+-----------+----------------------+------+-----+---------+----------------------+ | Field | Type | Null | Key | Default | Description | +-----------+----------------------+------+-----+---------+----------------------+ | sid | int(10) unsigned | | PRI | 0 | Sensor ID | | cid | int(10) unsigned | | PRI | 0 | Event ID | | udp_sport | smallint(5) unsigned | | MUL | 0 | UDP soure port | | udp_dport | smallint(5) unsigned | | MUL | 0 | UDP destination port | | udp_len | smallint(5) unsigned | YES | | NULL | UDP length | | udp_csum | smallint(5) unsigned | YES | | NULL | UDP checksum | +-----------+----------------------+------+-----+---------+----------------------+
icmphdr
+-----------+----------------------+------+-----+---------+----------------------+ | Field | Type | Null | Key | Default | Description | +-----------+----------------------+------+-----+---------+----------------------+ | sid | int(10) unsigned | | PRI | 0 | Sensor ID | | cid | int(10) unsigned | | PRI | 0 | Event ID | | icmp_type | tinyint(3) unsigned | | MUL | 0 | ICMP type | | icmp_code | tinyint(3) unsigned | | | 0 | ICMP code | | icmp_csum | smallint(5) unsigned | YES | | NULL | ICMP checksum | | icmp_id | smallint(5) unsigned | YES | | NULL | ICMP ID | | icmp_seq | smallint(5) unsigned | YES | | NULL | ICMP sequence number | +-----------+----------------------+------+-----+---------+----------------------+
opt
+-----------+---------------------+------+-----+---------+----------------------------------------+ | Field | Type | Null | Key | Default | Description | +-----------+---------------------+------+-----+---------+----------------------------------------+ | sid | int(10) unsigned | | PRI | 0 | Sensor ID | | cid | int(10) unsigned | | PRI | 0 | Event ID | | optid | int(10) unsigned | | PRI | 0 | Option ID (multiple options per alert) | | opt_proto | tinyint(3) unsigned | | | 0 | Option protocol (IP, TCP) | | opt_code | tinyint(3) unsigned | | | 0 | Option code | | opt_len | smallint(6) | YES | | NULL | Option length | | opt_data | text | YES | | NULL | Option data | +-----------+---------------------+------+-----+---------+----------------------------------------+
acid_ag
+----------+------------------+------+-----+---------+-----------------------------------+ | Field | Type | Null | Key | Default | Description | +----------+------------------+------+-----+---------+-----------------------------------+ | ag_id | int(10) unsigned | | PRI | NULL | Alert Group (AG) ID | | ag_name | varchar(40) | YES | | NULL | AG name | | ag_desc | text | YES | | NULL | AG description | | ag_ctime | datetime | YES | | NULL | Timestamp of AG creation time | | ag_ltime | datetime | YES | | NULL | Timestamp of last AG modification | +----------+------------------+------+-----+---------+-----------------------------------+
acid_ag_alert
+--------+------------------+------+-----+---------+---------------------+ | Field | Type | Null | Key | Default | Description | +--------+------------------+------+-----+---------+---------------------+ | ag_id | int(10) unsigned | | PRI | 0 | Alert Group (AG) ID | | ag_sid | int(10) unsigned | | PRI | 0 | Sensor ID | | ag_cid | int(10) unsigned | | PRI | 0 | Event ID | +--------+------------------+------+-----+---------+---------------------+
acid_ip_cache
+---------------------+------------------+------+-----+---------+----------------------------------+ | Field | Type | Null | Key | Default | Description | +---------------------+------------------+------+-----+---------+----------------------------------+ | ipc_ip | int(10) unsigned | | PRI | 0 | IP address (32-bit unsigned int) | | ipc_fqdn | varchar(50) | YES | MUL | NULL | FQDN | | ipc_dns_timestamp | datetime | YES | | NULL | DNS lookup timestamp | | ipc_whois | text | YES | | NULL | whois information | | ipc_whois_timestamp | datetime | YES | | NULL | whois lookup time | +---------------------+------------------+------+-----+---------+----------------------------------+
相关推荐
snort在2.9之后的版本,安装以后不带schemas模块,无法将日志导出数据库。 该文件为2.9之前的软件自带的数据库结构文件夹,供大家参考。
Snort数据库结构
喷鼻息分析仪 一个简单的 Snort 分析器。 不太有用,但得到了有关 Snort 数据库的提示。
最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort最新Snort
snort官网上下载的规则集 版本2900 包括文本规则和so规则
snort rules 版本2853 从snort官网下载的
在Snort的安装配置过程中,主要参照www.chinaunix.net和www.snort.org上面的相关文档,特别感谢www.chinaunix.net上面的两个作者,我是在他们的基础上测试成功的,主要有下面两篇文档...
网络信息安全 入侵检测系统Snort 了解入侵检测系统的概念,体系结构和检测技术,学会使用开源入侵检测软件Snort
《Snort轻量级入侵检测系统全攻略》共11章,主要内容包括四个方面,较为全面地介绍了Snort入侵检测系统的安装部署、配置、调整及使用,基本涵盖了Snort有关的方方面面。《Snort轻量级入侵检测系统全攻略》的特点是...
早在1998年,Martin Roesch先生开发了开放源代码(Open Source)的入侵检测系统Snort.直至今天,Snort已发展成为一个多平台(Multi-Platform),实时(Real-Time)流量分析,网络IP数据包(Pocket)记录等特性的强大的入侵检测/...
很全面的snort源码分析资料。其中还有snort源码分析的电子书,是学习snort整体架构,初步了解snort系统的很好的资料。
plugbase.c(.h)实现了初始化检测以及登记检测规则的一组函数。snort中的检测规则以链表的形式存储,每条规则通过登记(Register)过程添加到链表中。 response.c(.h)进行响应,即向攻击方主动发送数据包。这里实现...
snort 入侵检测系统
snort在linux上的安装使用文档。在1998年,Marty Roesch先生用C语言开发了开放源代码(Open Source)的入侵检测系统Snort.直至今天,Snort已发展成为一个多平台(Multi-Platform),实时(Real-Time)流量分析,网络IP...
snort2.8.6安装所需
开源IDS snort源码分析--规则初始化
Snort是一款开源的入侵检测系统,相比硬件式的IDS来说,snort的免费给中小型企业带来了更多的选择,snort可以结合mysql将日志信息记录到数据库服务器中,也可以使用BASE产生图形化的分析平台;一般的,我们喜欢将...
此书是市面上难得一见的对snort的源码进行了详细的分析的书籍,使你可以快速的了解snort的大体框架。
snort2.8完整规则集,已用于snort源码上编译成功
压缩包内部包含7个软件:libdnet snort daq pcap pcre zlib openssl,每个交叉编译的步骤。文档只是记录自己编译的过程,基本编译按照模式来不会出问题,依赖库需要自己移到开发板上。可自行考虑连接静态库