7.1. The extension of the database scheme

To store the additional header and pcap information in the database the normal scheme (as part of snort) must be extended. These extensions work well even with programs like ACID/Base.

These extensions must be done within the database, either with mysql or psql. If you have choosen the right database then enter at the command prompt the following commands:

ALTER TABLE data ADD COLUMN data_header TEXT;

This command adds a column for the missing packet headers. The payload stored by the normal process contains only the protocol payload of the alert. A TCP alert only stores the payload embedded in the TCP stream, no TCP header nor IP header nor the link level data.

ALTER TABLE data ADD COLUMN pcap_header TEXT;

This column stores the pcap header containing the time when the packet was captured and the snaplen.

ALTER TABLE schema ADD COLUMN full_payload SMALLINT;

With this column it is possible to note that the database is capable of storing the extended data.

UPDATE schema SET full_payload=1;

This sets the capability to store the full payload. If set to 1 then servsock will accept the -f option or FullPayload keyword.

Similarily, if the -r option or Reference keyword should be useable to store the reference of tagged packets then the event table has to be extended:

ALTER TABLE event ADD COLUMN reference INT4;

And the schema table has to be extended and updated so that we can query this settings.

ALTER TABLE schema ADD COLUMN reference SMALLINT; UPDATE schema SET reference=1;

If all this commands were applied to the database you have still to activate the storage of the additional data within servsock.

The contrib/ directory contains two scripts which can build the database scheme 107 with all extensions. The created schemes are completely ACID/Base compatible: create_mysql and create_postgresql