刚刚开始接触snort,想对他的数据库进行操作。所以小小的研究了一下。但是还是有很多表格的内容不是很了解。暂且把我自认为理解的部分写出来。欢迎大家热烈讨论,错误的地方疯狂指正,我没写的地方大家不吝赐教~~
Database ER Diagram
Snort (and other devices) log to database with the following schema:
Database ER diagram
| Table | Component | Description |
| schema(模式) | Snort | Self-documented information about the database |
| sensor(传感器,监测元件) | Snort | Sensor name |
| Snort | Meta-data(元数据) about the detected alert | |
| Snort | Normalized listing of alert/signature names, priorities, and revision IDs | |
| Snort | Reference information for a signature | |
| Snort | Reference IDs for a signature | |
| Snort | (lookup table) Reference system list | |
| Snort | Normalized listing of alert/signature classifications | |
| Snort | Contents of packet payload | |
| Snort | IP protocol fields | |
| Snort | TCP protocol fields | |
| Snort | UDP protocol fields | |
| Snort | ICMP protocol fields | |
| Snort | IP and TCP options | |
| detail | Snort | (lookup table) Level of detail with which a sensor is logging |
| encoding | Snort | (lookup table) Type of encoding used for the packet payload |
| protocols | SnortDB extra | (lookup table) Layer-4 (IP encoded) protocol list |
| services | SnortDB extra | (lookup table) TCP and UDP service list |
| flags | SnortDB extra | (lookup table) TCP flag list |
| BASE | Meta-data for alert groups | |
| BASE | Alerts in each alert group | |
| BASE | Cached DNS and whois information |
schema
+-------+------------------+------+-----+---------------------+----------------------------------------+
| Field | Type | Null | Key | Default | Description |
+-------+------------------+------+-----+---------------------+----------------------------------------+
| vseq | int(10) unsigned | | PRI | 0 | Database schema ID number (e.g. '102') |
| ctime | datetime | | | 0000-00-00 00:00:00 | Timestamp of database creation time |
+-------+------------------+------+-----+---------------------+----------------------------------------+
sensor
+-----------+------------------+------+-----+---------+----------------------------------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+------------------+------+-----+---------+----------------------------------------------+
| sid | int(10) unsigned | | PRI | NULL | Sensor ID |
| hostname | text | YES | | NULL | Hostname of the sensor (IP if can't qualify) |
| interface | text | YES | | NULL | Network interface (e.g. eth0) |
| filter | text | YES | | NULL | BPF filter |
| detail | tinyint(4) | YES | | NULL | Detail level of the logging |
| encoding | tinyint(4) | YES | | NULL | Encoding format of the payload |
+-----------+------------------+------+-----+---------+----------------------------------------------+
event
+-----------+------------------+------+-----+---------------------+----------------------------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+------------------+------+-----+---------------------+----------------------------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| signature | int(10) unsigned | | MUL | 0 | Signature ID |
| timestamp | datetime | | MUL | 0000-00-00 00:00:00 | Timestamp of when the event was logged |
+-----------+------------------+------+-----+---------------------+----------------------------------------+
signature
+--------------+------------------+------+-----+---------+-----------------------+
| Field | Type | Null | Key | Default | Description |
+--------------+------------------+------+-----+---------+-----------------------+
| sig_id | int(10) unsigned | | PRI | NULL | Signature ID |
| sig_name | varchar(255) | | MUL | | Signature Name |
| sig_class_id | int(10) unsigned | YES | MUL | NULL | Classification ID |
| sig_priority | int(10) unsigned | YES | | NULL | Priority |
| sig_rev | int(10) unsigned | YES | | NULL | Revision number |
| sig_sid | int(10) unsigned | YES | | NULL | Internal signature ID |
+--------------+------------------+------+-----+---------+-----------------------+
sig_reference
+---------+------------------+------+-----+---------+-------------------------------------------------+
| Field | Type | Null | Key | Default | Description |
+---------+------------------+------+-----+---------+-------------------------------------------------+
| sig_id | int(10) unsigned | | PRI | 0 | Signature ID |
| ref_seq | int(10) unsigned | | PRI | 0 | Reference sequence number (multiple references) |
| ref_id | int(10) unsigned | | | 0 | Reference ID |
+---------+------------------+------+-----+---------+-------------------------------------------------+
reference
+---------------+------------------+------+-----+---------+--------------------------------------+
| Field | Type | Null | Key | Default | Description |
+---------------+------------------+------+-----+---------+--------------------------------------+
| ref_id | int(10) unsigned | | PRI | NULL | Reference ID |
| ref_system_id | int(10) unsigned | | | 0 | Reference system ID |
| ref_tag | varchar(20) | | | | Reference tag (e.g. CVE-CAN-2001-01) |
+---------------+------------------+------+-----+---------+--------------------------------------+
reference_system
+-----------------+------------------+------+-----+---------+----------------------------------+
| Field | Type | Null | Key | Default | Description |
+-----------------+------------------+------+-----+---------+----------------------------------+
| ref_system_id | int(10) unsigned | | PRI | NULL | Reference system ID |
| ref_system_name | varchar(20) | YES | | NULL | Reference system name (e.g. CVE) |
+-----------------+------------------+------+-----+---------+----------------------------------+
sig_class
+----------------+------------------+------+-----+---------+----------------------------------+
| Field | Type | Null | Key | Default | Description |
+----------------+------------------+------+-----+---------+----------------------------------+
| sig_class_id | int(10) unsigned | | PRI | NULL | Signature classification ID |
| sig_class_name | varchar(60) | | MUL | | Classification name (e.g. recon) |
+----------------+------------------+------+-----+---------+----------------------------------+
data
+--------------+------------------+------+-----+---------+-----------------------------------------------------+
| Field | Type | Null | Key | Default | Description |
+--------------+------------------+------+-----+---------+-----------------------------------------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| data_payload | text | YES | | NULL | Packet payload encoded according to sensor.encoding |
+--------------+------------------+------+-----+---------+-----------------------------------------------------+
iphdr
+----------+----------------------+------+-----+---------+----------------------------------------------+
| Field | Type | Null | Key | Default | Description |
+----------+----------------------+------+-----+---------+----------------------------------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| ip_src | int(10) unsigned | | MUL | 0 | Source IP address (32-bit unsigned int) |
| ip_dst | int(10) unsigned | | MUL | 0 | Destination IP address (32-bit unsigned int) |
| ip_ver | tinyint(3) unsigned | YES | | NULL | IP version |
| ip_hlen | tinyint(3) unsigned | YES | | NULL | IP Header length |
| ip_tos | tinyint(3) unsigned | YES | | NULL | IP type-of-service |
| ip_len | smallint(5) unsigned | YES | | NULL | IP datagram length |
| ip_id | smallint(5) unsigned | YES | | NULL | IP ID |
| ip_flags | tinyint(3) unsigned | YES | | NULL | IP flags |
| ip_off | smallint(5) unsigned | YES | | NULL | IP fragment offset |
| ip_ttl | tinyint(3) unsigned | YES | | NULL | IP time-to-live |
| ip_proto | tinyint(3) unsigned | | | 0 | IP protocol |
| ip_csum | smallint(5) unsigned | YES | | NULL | IP checksum |
+----------+----------------------+------+-----+---------+----------------------------------------------+
tcphdr
+-----------+----------------------+------+-----+---------+----------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+----------------------+------+-----+---------+----------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| tcp_sport | smallint(5) unsigned | | MUL | 0 | TCP source port |
| tcp_dport | smallint(5) unsigned | | MUL | 0 | TCP destination port |
| tcp_seq | int(10) unsigned | YES | | NULL | TCP sequence number |
| tcp_ack | int(10) unsigned | YES | | NULL | TCP ACK number |
| tcp_off | tinyint(3) unsigned | YES | | NULL | TCP offset |
| tcp_res | tinyint(3) unsigned | YES | | NULL | TCP reserved |
| tcp_flags | tinyint(3) unsigned | | MUL | 0 | TCP flags |
| tcp_win | smallint(5) unsigned | YES | | NULL | TCP window |
| tcp_csum | smallint(5) unsigned | YES | | NULL | TCP checksum |
| tcp_urp | smallint(5) unsigned | YES | | NULL | TCP urgent pointer |
+-----------+----------------------+------+-----+---------+----------------------+
udphdr
+-----------+----------------------+------+-----+---------+----------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+----------------------+------+-----+---------+----------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| udp_sport | smallint(5) unsigned | | MUL | 0 | UDP soure port |
| udp_dport | smallint(5) unsigned | | MUL | 0 | UDP destination port |
| udp_len | smallint(5) unsigned | YES | | NULL | UDP length |
| udp_csum | smallint(5) unsigned | YES | | NULL | UDP checksum |
+-----------+----------------------+------+-----+---------+----------------------+
icmphdr
+-----------+----------------------+------+-----+---------+----------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+----------------------+------+-----+---------+----------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| icmp_type | tinyint(3) unsigned | | MUL | 0 | ICMP type |
| icmp_code | tinyint(3) unsigned | | | 0 | ICMP code |
| icmp_csum | smallint(5) unsigned | YES | | NULL | ICMP checksum |
| icmp_id | smallint(5) unsigned | YES | | NULL | ICMP ID |
| icmp_seq | smallint(5) unsigned | YES | | NULL | ICMP sequence number |
+-----------+----------------------+------+-----+---------+----------------------+
opt
+-----------+---------------------+------+-----+---------+----------------------------------------+
| Field | Type | Null | Key | Default | Description |
+-----------+---------------------+------+-----+---------+----------------------------------------+
| sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| cid | int(10) unsigned | | PRI | 0 | Event ID |
| optid | int(10) unsigned | | PRI | 0 | Option ID (multiple options per alert) |
| opt_proto | tinyint(3) unsigned | | | 0 | Option protocol (IP, TCP) |
| opt_code | tinyint(3) unsigned | | | 0 | Option code |
| opt_len | smallint(6) | YES | | NULL | Option length |
| opt_data | text | YES | | NULL | Option data |
+-----------+---------------------+------+-----+---------+----------------------------------------+
acid_ag
+----------+------------------+------+-----+---------+-----------------------------------+
| Field | Type | Null | Key | Default | Description |
+----------+------------------+------+-----+---------+-----------------------------------+
| ag_id | int(10) unsigned | | PRI | NULL | Alert Group (AG) ID |
| ag_name | varchar(40) | YES | | NULL | AG name |
| ag_desc | text | YES | | NULL | AG description |
| ag_ctime | datetime | YES | | NULL | Timestamp of AG creation time |
| ag_ltime | datetime | YES | | NULL | Timestamp of last AG modification |
+----------+------------------+------+-----+---------+-----------------------------------+
acid_ag_alert
+--------+------------------+------+-----+---------+---------------------+
| Field | Type | Null | Key | Default | Description |
+--------+------------------+------+-----+---------+---------------------+
| ag_id | int(10) unsigned | | PRI | 0 | Alert Group (AG) ID |
| ag_sid | int(10) unsigned | | PRI | 0 | Sensor ID |
| ag_cid | int(10) unsigned | | PRI | 0 | Event ID |
+--------+------------------+------+-----+---------+---------------------+
acid_ip_cache
+---------------------+------------------+------+-----+---------+----------------------------------+
| Field | Type | Null | Key | Default | Description |
+---------------------+------------------+------+-----+---------+----------------------------------+
| ipc_ip | int(10) unsigned | | PRI | 0 | IP address (32-bit unsigned int) |
| ipc_fqdn | varchar(50) | YES | MUL | NULL | FQDN |
| ipc_dns_timestamp | datetime | YES | | NULL | DNS lookup timestamp |
| ipc_whois | text | YES | | NULL | whois information |
| ipc_whois_timestamp | datetime | YES | | NULL | whois lookup time |
|
|
|
|
|
|
|
Snort数据库
Shcema:有关数据库模式的一些信息,比如版本或者创建信息
vseq:数据库模式ID
ctime:数据库创建时间
Sensor:snort传感器信息。
sid:传感器代号
hostname:传感器所属的用户名称
Interface:传感器对应的网络接口
filter:对应传感器的过滤原则
detail:表示传感器监测模式,记录模式详细程度的级别
encoding:包含数据存在形式
last_cid: 对应每个sid即传感器捕获告警的最后一个值
Event:关于告警的元数据的信息
Sid,cid;共同作为主码,其中cid是在sid的基础上进行排序的。每个sid对应自己的
cid排序。
Signature:对应signature表格中的sig_id选项,表明这条告警事件所属的规则形式的告警对应哪一类rules。
Timestamp:对应告警事件发生的系统时间。
Signature:有规则形式的告警信息,按种类分类。
Sig_id: 总数代表发生告警种类的总数。是告警种类的主码。
Sig_name:告警名称。对应每条alert语句的Msg。
Sig_class_id:对应sig_class表格中的sig_class_id.代表告警种类的大类信息。
Sig_priority:告警的优先级
Sit_rev:版本号(具体是谁的版本号还不清楚)
Sig_sid:内部signatureID
Sig_gid:全局signatureID
sig_reference:提供报警种类信息signature的参考信息。将signature与reference联系起来的表格
Sig_id:对应的告警种类。
Ref_id:对应reference表格中的主码
Ref_seq:参考序列号(具体什么意思还不懂)
Reference:提供一些支持信息
Ref_id:主码
Ref_system_id:对应reference_system表格
Ref_tag:关于reference的一些信息
Sig_class: signature告警种类的大体分类信息。
Sig_class_id:分类编号
Sig_class_name:分类名称
Data: 告警数据包的有效载荷
sid与cid 共同作为主码
data_payload:数据包有效载荷
Detail:传感器sensor的检测级别
0-fast快速检测
1-full全面检测
encoding:数据包中数据的存在形式
0- Hex
1- base64
2- ascii
Iphdr: ip数据包首部信息
sid,cid 共同作为主码
ip_src: ip数据包源地址
ip_dst: ip数据包目的地址
ip_ver: ip数据包版本,一般为ipv4即为4
ip_hlen: ip数据包首部长度,以DWORD为单位,通常为5,共20个字节。(IP数据包最长可为4*15=60字节)。
ip_tos: ip数据包服务类型。共8位,其每位的含义见“项目相关/各类数据包格式”。
ip_len: ip数据包的总长度,包括ip数据包头
ip_id: ip数据包的标识符
ip_flags: ip数据包的标志
ip_off: 如果ip数据包分段,则此段用于指明分段在原ip数据包中位置
ip_ttl: ip数据包的生存周期
ip_proto: ip数据包的上层协议ICMP(1)、TCP(6)、UDP(17)
ip_csum: ip数据包首部检查和
tcphdr: tcp协议数据包报文首部信息
sid,cid为主码
tcp_sport,tcp-dport:源与目的端口号
tcp_seq,tcp_ack: tcp序列号与确认号
tcp_off:报文首部长度(4bit),以DWORD为单位
tcp_res: tcp首部保留字段
tcp_flags: 6bit的标志字段(URG,ACK,PSH,RST,SYN,FIN)
tcp_win: tcp接受窗口大小
tcp_csum: tcp校验和字段
tcp_urp: tcp紧急数据指针
udphdr: udp协议数据包首部信息
sid,cid为主码
udp_sport,udp_dport:udp源端口与目的端口号
udp_len:包括udp首部在内的udp报文的长度,以字节为单位
upd_csum:udp首部检查和字段
icmphdr:
sid,cid为主码
icmp_type:icmp报文类型字段,占一个字节
icmp_code:icmp报文编码字段,占一个字节
icmp_csum:icmp校验和字段,占两个字节。校验包括数据载荷在内的整个ICMP报文的正确性。
icmp_id:icmp报文标示符
icmp_seq:icmp序列号字段
opt: 关于ip 和tcp的一些选择信息
sid,cid,optid:主码
opt_proto: 貌似对应ip数据包中的tos字段。一般为6,代表是tcp协议。
上面的英文内容来自下面的网站
http://www.andrew.cmu.edu/user/rdanyliw/snort/acid_db_er_v102.html#acid_ag#acid_ag
扫一扫
555
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
