snort数据库详解
来源:互联网 发布:聚合数据公司怎么样 编辑:程序博客网 时间:2024/05/16 06:47
刚刚开始接触snort,想对他的数据库进行操作。所以小小的研究了一下。但是还是有很多表格的内容不是很了解。暂且把我自认为理解的部分写出来。欢迎大家热烈讨论,错误的地方疯狂指正,我没写的地方大家不吝赐教~~
Database ER Diagram
Snort (and other devices) log to database with the following schema:
Database ER diagram
Table
Component
Description
schema(模式)
Snort
Self-documented information about the database
sensor(传感器,监测元件)
Snort
Sensor name
event
Snort
Meta-data(元数据) about the detected alert
signature
Snort
Normalized listing of alert/signature names, priorities, and revision IDs
sig_reference
Snort
Reference information for a signature
reference
Snort
Reference IDs for a signature
reference_system
Snort
(lookup table) Reference system list
sig_class
Snort
Normalized listing of alert/signature classifications
data
Snort
Contents of packet payload
iphdr
Snort
IP protocol fields
tcphdr
Snort
TCP protocol fields
udphdr
Snort
UDP protocol fields
icmphdr
Snort
ICMP protocol fields
opt
Snort
IP and TCP options
detail
Snort
(lookup table) Level of detail with which a sensor is logging
encoding
Snort
(lookup table) Type of encoding used for the packet payload
protocols
SnortDB extra
(lookup table) Layer-4 (IP encoded) protocol list
services
SnortDB extra
(lookup table) TCP and UDP service list
flags
SnortDB extra
(lookup table) TCP flag list
acid_ag
BASE
Meta-data for alert groups
acid_ag_alert
BASE
Alerts in each alert group
acid_ip_cache
BASE
Cached DNS and whois information
schema
+-------+------------------+------+-----+---------------------+----------------------------------------+
| Field | Type | Null | Key | Default | Description |
+-------+------------------+------+-----+---------------------+----------------------------------------+
| vseq | int(10) unsigned | | PRI | 0 | Database schema ID number (e.g. '102') |
| ctime | datetime | | | 0000-00-00 00:00:00 | Timestamp of database creation time |
+-------+------------------+------+-----+---------------------+----------------------------------------+
sensor
+-----------+------------------+------+-----+---------+----------------------------------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+------------------+------+-----+---------+----------------------------------------------+
| sid | int(10) unsigned | | PRI | NULL | Sensor ID |
| hostname | text | YES | | NULL | Hostname of the sensor (IP if can't qualify) |
| interface | text | YES | | NULL | Network interface (e.g. eth0) |
| filter | text | YES | | NULL | BPF filter |
| detail | tinyint(4) | YES | | NULL | Detail level of the logging |
| encoding | tinyint(4) | YES | | NULL | Encoding format of the payload |
+-----------+------------------+------+-----+---------+----------------------------------------------+
event
+-----------+------------------+------+-----+---------------------+----------------------------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+------------------+------+-----+---------------------+----------------------------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| signature | int(10) unsigned | | MUL | 0 | Signature ID |
| timestamp | datetime | | MUL | 0000-00-00 00:00:00 | Timestamp of when the event was logged |
+-----------+------------------+------+-----+---------------------+----------------------------------------+
signature
+--------------+------------------+------+-----+---------+-----------------------+
| Field | Type | Null | Key | Default | Description |
+--------------+------------------+------+-----+---------+-----------------------+
| sig_id | int(10) unsigned | | PRI | NULL | Signature ID |
| sig_name | varchar(255) | | MUL | | Signature Name |
| sig_class_id | int(10) unsigned | YES | MUL | NULL | Classification ID |
| sig_priority | int(10) unsigned | YES | | NULL | Priority |
| sig_rev | int(10) unsigned | YES | | NULL | Revision number |
| sig_sid | int(10) unsigned | YES | | NULL | Internal signature ID |
+--------------+------------------+------+-----+---------+-----------------------+
sig_reference
+---------+------------------+------+-----+---------+-------------------------------------------------+
| Field | Type | Null | Key | Default | Description |
+---------+------------------+------+-----+---------+-------------------------------------------------+
| sig_id | int(10) unsigned | | PRI | 0 | Signature ID |
| ref_seq | int(10) unsigned | | PRI | 0 | Reference sequence number (multiple references) |
| ref_id | int(10) unsigned | | | 0 | Reference ID |
+---------+------------------+------+-----+---------+-------------------------------------------------+
reference
+---------------+------------------+------+-----+---------+--------------------------------------+
| Field | Type | Null | Key | Default | Description |
+---------------+------------------+------+-----+---------+--------------------------------------+
| ref_id | int(10) unsigned | | PRI | NULL | Reference ID |
| ref_system_id | int(10) unsigned | | | 0 | Reference system ID |
| ref_tag | varchar(20) | | | | Reference tag (e.g. CVE-CAN-2001-01) |
+---------------+------------------+------+-----+---------+--------------------------------------+
reference_system
+-----------------+------------------+------+-----+---------+----------------------------------+
| Field | Type | Null | Key | Default | Description |
+-----------------+------------------+------+-----+---------+----------------------------------+
| ref_system_id | int(10) unsigned | | PRI | NULL | Reference system ID |
| ref_system_name | varchar(20) | YES | | NULL | Reference system name (e.g. CVE) |
+-----------------+------------------+------+-----+---------+----------------------------------+
sig_class
+----------------+------------------+------+-----+---------+----------------------------------+
| Field | Type | Null | Key | Default | Description |
+----------------+------------------+------+-----+---------+----------------------------------+
| sig_class_id | int(10) unsigned | | PRI | NULL | Signature classification ID |
| sig_class_name | varchar(60) | | MUL | | Classification name (e.g. recon) |
+----------------+------------------+------+-----+---------+----------------------------------+
data
+--------------+------------------+------+-----+---------+-----------------------------------------------------+
| Field | Type | Null | Key | Default | Description |
+--------------+------------------+------+-----+---------+-----------------------------------------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| data_payload | text | YES | | NULL | Packet payload encoded according to sensor.encoding |
+--------------+------------------+------+-----+---------+-----------------------------------------------------+
iphdr
+----------+----------------------+------+-----+---------+----------------------------------------------+
| Field | Type | Null | Key | Default | Description |
+----------+----------------------+------+-----+---------+----------------------------------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| ip_src | int(10) unsigned | | MUL | 0 | Source IP address (32-bit unsigned int) |
| ip_dst | int(10) unsigned | | MUL | 0 | Destination IP address (32-bit unsigned int) |
| ip_ver | tinyint(3) unsigned | YES | | NULL | IP version |
| ip_hlen | tinyint(3) unsigned | YES | | NULL | IP Header length |
| ip_tos | tinyint(3) unsigned | YES | | NULL | IP type-of-service |
| ip_len | smallint(5) unsigned | YES | | NULL | IP datagram length |
| ip_id | smallint(5) unsigned | YES | | NULL | IP ID |
| ip_flags | tinyint(3) unsigned | YES | | NULL | IP flags |
| ip_off | smallint(5) unsigned | YES | | NULL | IP fragment offset |
| ip_ttl | tinyint(3) unsigned | YES | | NULL | IP time-to-live |
| ip_proto | tinyint(3) unsigned | | | 0 | IP protocol |
| ip_csum | smallint(5) unsigned | YES | | NULL | IP checksum |
+----------+----------------------+------+-----+---------+----------------------------------------------+
tcphdr
+-----------+----------------------+------+-----+---------+----------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+----------------------+------+-----+---------+----------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| tcp_sport | smallint(5) unsigned | | MUL | 0 | TCP source port |
| tcp_dport | smallint(5) unsigned | | MUL | 0 | TCP destination port |
| tcp_seq | int(10) unsigned | YES | | NULL | TCP sequence number |
| tcp_ack | int(10) unsigned | YES | | NULL | TCP ACK number |
| tcp_off | tinyint(3) unsigned | YES | | NULL | TCP offset |
| tcp_res | tinyint(3) unsigned | YES | | NULL | TCP reserved |
| tcp_flags | tinyint(3) unsigned | | MUL | 0 | TCP flags |
| tcp_win | smallint(5) unsigned | YES | | NULL | TCP window |
| tcp_csum | smallint(5) unsigned | YES | | NULL | TCP checksum |
| tcp_urp | smallint(5) unsigned | YES | | NULL | TCP urgent pointer |
+-----------+----------------------+------+-----+---------+----------------------+
udphdr
+-----------+----------------------+------+-----+---------+----------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+----------------------+------+-----+---------+----------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| udp_sport | smallint(5) unsigned | | MUL | 0 | UDP soure port |
| udp_dport | smallint(5) unsigned | | MUL | 0 | UDP destination port |
| udp_len | smallint(5) unsigned | YES | | NULL | UDP length |
| udp_csum | smallint(5) unsigned | YES | | NULL | UDP checksum |
+-----------+----------------------+------+-----+---------+----------------------+
icmphdr
+-----------+----------------------+------+-----+---------+----------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+----------------------+------+-----+---------+----------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| icmp_type | tinyint(3) unsigned | | MUL | 0 | ICMP type |
| icmp_code | tinyint(3) unsigned | | | 0 | ICMP code |
| icmp_csum | smallint(5) unsigned | YES | | NULL | ICMP checksum |
| icmp_id | smallint(5) unsigned | YES | | NULL | ICMP ID |
| icmp_seq | smallint(5) unsigned | YES | | NULL | ICMP sequence number |
+-----------+----------------------+------+-----+---------+----------------------+
opt
+-----------+---------------------+------+-----+---------+----------------------------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+---------------------+------+-----+---------+----------------------------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| optid | int(10) unsigned | | PRI | 0 | Option ID (multiple options per alert) |
| opt_proto | tinyint(3) unsigned | | | 0 | Option protocol (IP, TCP) |
| opt_code | tinyint(3) unsigned | | | 0 | Option code |
| opt_len | smallint(6) | YES | | NULL | Option length |
| opt_data | text | YES | | NULL | Option data |
+-----------+---------------------+------+-----+---------+----------------------------------------+
acid_ag
+----------+------------------+------+-----+---------+-----------------------------------+
| Field | Type | Null | Key | Default | Description |
+----------+------------------+------+-----+---------+-----------------------------------+
| ag_id | int(10) unsigned | | PRI | NULL | Alert Group (AG) ID |
| ag_name | varchar(40) | YES | | NULL | AG name |
| ag_desc | text | YES | | NULL | AG description |
| ag_ctime | datetime | YES | | NULL | Timestamp of AG creation time |
| ag_ltime | datetime | YES | | NULL | Timestamp of last AG modification |
+----------+------------------+------+-----+---------+-----------------------------------+
acid_ag_alert
+--------+------------------+------+-----+---------+---------------------+
| Field | Type | Null | Key | Default | Description |
+--------+------------------+------+-----+---------+---------------------+
| ag_id | int(10) unsigned | | PRI | 0 | Alert Group (AG) ID |
| ag_sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| ag_cid | int(10) unsigned | | PRI | 0 | Event ID |
+--------+------------------+------+-----+---------+---------------------+
acid_ip_cache
+---------------------+------------------+------+-----+---------+----------------------------------+
| Field | Type | Null | Key | Default | Description |
+---------------------+------------------+------+-----+---------+----------------------------------+
| ipc_ip | int(10) unsigned | | PRI | 0 | IP address (32-bit unsigned int) |
| ipc_fqdn | varchar(50) | YES | MUL | NULL | FQDN |
| ipc_dns_timestamp | datetime | YES | | NULL | DNS lookup timestamp |
| ipc_whois | text | YES | | NULL | whois information |
| ipc_whois_timestamp | datetime | YES | | NULL | whois lookup time |
Snort数据库
Shcema:有关数据库模式的一些信息,比如版本或者创建信息
vseq:数据库模式ID
ctime:数据库创建时间
Sensor:snort传感器信息。
sid:传感器代号
hostname:传感器所属的用户名称
Interface:传感器对应的网络接口
filter:对应传感器的过滤原则
detail:表示传感器监测模式,记录模式详细程度的级别
encoding:包含数据存在形式
last_cid: 对应每个sid即传感器捕获告警的最后一个值
Event:关于告警的元数据的信息
Sid,cid;共同作为主码,其中cid是在sid的基础上进行排序的。每个sid对应自己的
cid排序。
Signature:对应signature表格中的sig_id选项,表明这条告警事件所属的规则形式的告警对应哪一类rules。
Timestamp:对应告警事件发生的系统时间。
Signature:有规则形式的告警信息,按种类分类。
Sig_id: 总数代表发生告警种类的总数。是告警种类的主码。
Sig_name:告警名称。对应每条alert语句的Msg。
Sig_class_id:对应sig_class表格中的sig_class_id.代表告警种类的大类信息。
Sig_priority:告警的优先级
Sit_rev:版本号(具体是谁的版本号还不清楚)
Sig_sid:内部signatureID
Sig_gid:全局signatureID
sig_reference:提供报警种类信息signature的参考信息。将signature与reference联系起来的表格
Sig_id:对应的告警种类。
Ref_id:对应reference表格中的主码
Ref_seq:参考序列号(具体什么意思还不懂)
Reference:提供一些支持信息
Ref_id:主码
Ref_system_id:对应reference_system表格
Ref_tag:关于reference的一些信息
Sig_class: signature告警种类的大体分类信息。
Sig_class_id:分类编号
Sig_class_name:分类名称
Data: 告警数据包的有效载荷
sid与cid 共同作为主码
data_payload:数据包有效载荷
Detail:传感器sensor的检测级别
0-fast快速检测
1-full全面检测
encoding:数据包中数据的存在形式
0- Hex
1- base64
2- ascii
Iphdr: ip数据包首部信息
sid,cid 共同作为主码
ip_src: ip数据包源地址
ip_dst: ip数据包目的地址
ip_ver: ip数据包版本,一般为ipv4即为4
ip_hlen: ip数据包首部长度,以DWORD为单位,通常为5,共20个字节。(IP数据包最长可为4*15=60字节)。
ip_tos: ip数据包服务类型。共8位,其每位的含义见“项目相关/各类数据包格式”。
ip_len: ip数据包的总长度,包括ip数据包头
ip_id: ip数据包的标识符
ip_flags: ip数据包的标志
ip_off: 如果ip数据包分段,则此段用于指明分段在原ip数据包中位置
ip_ttl: ip数据包的生存周期
ip_proto: ip数据包的上层协议ICMP(1)、TCP(6)、UDP(17)
ip_csum: ip数据包首部检查和
tcphdr: tcp协议数据包报文首部信息
sid,cid为主码
tcp_sport,tcp-dport:源与目的端口号
tcp_seq,tcp_ack: tcp序列号与确认号
tcp_off:报文首部长度(4bit),以DWORD为单位
tcp_res: tcp首部保留字段
tcp_flags: 6bit的标志字段(URG,ACK,PSH,RST,SYN,FIN)
tcp_win: tcp接受窗口大小
tcp_csum: tcp校验和字段
tcp_urp: tcp紧急数据指针
udphdr: udp协议数据包首部信息
sid,cid为主码
udp_sport,udp_dport:udp源端口与目的端口号
udp_len:包括udp首部在内的udp报文的长度,以字节为单位
upd_csum:udp首部检查和字段
icmphdr:
sid,cid为主码
icmp_type:icmp报文类型字段,占一个字节
icmp_code:icmp报文编码字段,占一个字节
icmp_csum:icmp校验和字段,占两个字节。校验包括数据载荷在内的整个ICMP报文的正确性。
icmp_id:icmp报文标示符
icmp_seq:icmp序列号字段
opt: 关于ip 和tcp的一些选择信息
sid,cid,optid:主码
opt_proto: 貌似对应ip数据包中的tos字段。一般为6,代表是tcp协议。
上面的英文内容来自下面的网站
http://www.andrew.cmu.edu/user/rdanyliw/snort/acid_db_er_v102.html#acid_ag#acid_ag
- snort数据库详解
- Snort 命令参数详解
- Snort
- snort
- snort
- snort
- snort
- snort三种工作模式详解
- snort+acid
- Snort分析
- snort常用命令
- Snort Cookbook
- snort优化
- snort docs
- snort简介
- snort配置
- snort problem1
- snort problem2
- 关于SEH局部展开的一点思考
- DEV中的lookupEdit控件的初始化
- MFC笔记3
- handle
- snort数据库详解
- 有点意思:不患寡而患不均,不患贫而患不安
- 【转载】黑莓开发学习(入门教程)03-经典的HelloWorld程序
- DNS BIND的配置
- 为什么研究?
- 最近用到的一点技术点
- 【转载】黑莓开发学习(入门教程)04-标准界面的HelloWorld程序
- php中的字符串连接
- 由MessageBox透视Win32 API的调用