On Wed, 2010-06-30 at 21:13 -0500, Martin Holste wrote:
Cool, I'll have a look at the OSE 3.2 roadmap.
I should note that while I've done extensive testing in MongoDB, I'm currently using MySQL and a standard SQL schema for production. The main reason is speed, though I expect MongoDB to catch up eventually. CouchDB is extremely slow, comparatively, for sustained inserts, and I doubt it will ever be a viable option for high-performance logging. At any rate, a SQL schema would be fine with me.
Yes, I mean UUID when I say CLSID. I think that requiring a central place to administer the ID's is actually a strength, not a weakness, because it encourages collaboration and peer review. By getting an ID, it means that the signature has been vetted. The EmergingThreats.net Snort signatures are borne from such a process and are much stronger because of the open discussion, debate, and peer review.
I understand, and I guess we could create a policy that makes it possible to create a private ID space (similar to private IP addresses), which is guaranteed not to collide with "official" IDs. What about an application-name[@provider.tld] * official samples would only contain "application-name" * private samples would have their domain name appended For instance, the official ID for OpenSSH log patterns would be: opensshd Whereas if you wanted to create your samples for application foo, that would look like: foo@balabit.com What do you think? -- Bazsi