Snort mailing list archives
Re: Snort DB query question.
From: Michael Boman <michael () ayeka dyndns org>
Date: Fri, 25 Oct 2002 10:49:53 +0800
On Thu, Oct 24, 2002 at 10:22:57PM -0400, larosa, vjay wrote:
Hello, I have a question that has been bugging me since I started using the database output plugin with snort. Why are the IP addresses stored in the DB in the 32 bit format? What is the advantage?
I would guess it's speed - it stores the IP addresess in the same format they are recived from the wire. Doing additional processing would slow snort down, and when you analyze the data you won't notice the 1/100 sec delay, but snort would.
I know there must be something I don't know. I know the SELECT inet_ntoa(ip_src) ...... trick to convert the IP's back to human readable format, but what if I want to search for a CDIR block like 10.10.0.0/16? How would this be done? Is it possible?
SELECT .... WHERE inet_ntoa(iphdr.ip_src) > "10.10.0.0" AND inet_ntoa(iphdr.ip_src) < "10.10.255.255" or SELECT .... WHERE iphdr.ip_src > inet_aton("10.10.0.0") AND iphdr.ip_src < inet_aton("10.10.255.255") I think the last example is faster, haven't tried it (wrong OS, not at work and so on...). And I am sure there are short-cuts for it as well, check out the documentation for your SQL database (which you failed to specify). Best regards Michael Boman -- Michael Boman Student, Husband, Geek. Not necessary in that order though. ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort DB query question. larosa, vjay (Oct 24)
- Re: Snort DB query question. Michael Boman (Oct 24)
- <Possible follow-ups>
- RE: Snort DB query question. larosa, vjay (Oct 24)
- RE: Snort DB query question. Kreimendahl, Chad J (Oct 24)
- Re: Snort DB query question. WTWork (Oct 24)