Snort mailing list archives

Re: mysql iphdr ip addressing scheme?

From: roman () danyliw com
Date: Thu, 1 Nov 2001 13:50:58 US/Eastern

Not exactly valid CIDR notation, but lets investigate.

x.177.88.0/20 is the following in binary:

xxxxxxxx 10110001 1011xxxx xxxxxxxx

(where 'x' can be either 0 or 1)

The following would be the mask to match such a network:

00000000 10110001 10110000 00000000 = 11644928 = mask

ip AND mask = mask (then we have a match)

SELECT ip_src FROM iphdr WHERE ((ip_src & 11644928) = 11644928)

The representation of the ip address as an unsigned 32-bit integer was
done to facilitate exactly this type of operation.

Roman

On 1 Nov 2001, Greg Sarsons wrote:

Okay lets make this a bit more complicated.

Lets say I want to get all the addresses from x.117.88.0 thru to
x.177.95.255

which is x.177.88.0/20

Is there a straight forward way to just match ips just on all or just
one of those subnets.

Greg

On Thu, 2001-11-01 at 10:31, Jason Straight wrote:

Actually I got another answer also, mysql has just that function
select inet_ntoa(ipsrc) from iphdr;


On Thursday 01 November 2001 10:12, Phil Wood wrote:

You'll probably get a lot of these types of responses.  I had that question
recently from one of the network staff here and thought I'd code it to
death.

It's a perl script called int-to-ip which takes input in one of two ways:

  int-to-ip number [another_number]*
  int-to-ip < list_of_numbers_file

Later,

On Thu, Nov 01, 2001 at 12:36:29AM -0500, Jason Straight wrote:

I'm confused. Snort on mysql has an ip addy that's nothing more than an
integer. How do I get a dotted quad IP# from:

208436227 ?

Thanks in advance.



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

mysql iphdr ip addressing scheme? Jason Straight (Oct 31)
- Re: mysql iphdr ip addressing scheme? Phil Wood (Nov 01)
  - Re: mysql iphdr ip addressing scheme? Jason Straight (Nov 01)
    - Re: mysql iphdr ip addressing scheme? Greg Sarsons (Nov 01)
- Message not available
  - Re: mysql iphdr ip addressing scheme? Jason Straight (Nov 01)
- <Possible follow-ups>
- RE: mysql iphdr ip addressing scheme? Mark Forsyth (Nov 01)
- Re: mysql iphdr ip addressing scheme? roman (Nov 01)