Snort mailing list archives
Problem: Snort Logging to database, problem with ip and port number formats
From: Thomas Murtagh <t_murtagh22 () yahoo ie>
Date: Tue, 27 Jul 2004 12:18:44 +0100 (BST)
Hi, I have set up snort and configured it to log to a MySQL database, this appears to be working fine. Data is being logged as expected. I have noticed however that within tables "iphdr" and "tcphdr", ip addresses (ip_src & ip_dst) and port numbers (tcp_sport & tcp_dport) are not being logged as expected. I have used the create_mysql script to create this database, however the above mentioned fields are logging ip addresses as integer (int) numbers and port numbers as small integers (smallint). When using the command "describe iphdr", the field type for both ip_src and ip_dest is an int(10) unsigned. When using the command "describe tcphdr", the field type for both tcp_sport and tcp_dport is also an int(10) unsigned. The following is some sample data contained within the datase: Table: iphdr +-----+------+------------+------------+--------+ ----+----------+--------+--------+----------+---- | sid | cid | ip_src | ip_dst | ip_ver | +-----+------+------------+------------+--------+ ----+----------+--------+--------+----------+---- | 1 | 1000 | 3232245761 | 3232245900 | 4 | AS YOU CAN SEE THE ABOVE ip_src and ip_dest are values not valid IP addresses: Table: tcphdr +-----+------+-----------+-----------+---------+ ---------+---------+----------+---------+ | sid | cid | tcp_sport | tcp_dport | tcp_seq | +-----+------+-----------+-----------+---------+ ---------+---------+----------+---------+ | 1 | 1000 | 59832 | 116 | 0 | AS YOU CAN SEE THE ABOVE tcp_sport and tcp_dport values are not valid port numbers Can anyone please advise me on how to get this to become valid data. I'm hoping to program and application in C/C++ which will require to read this information, is this data in a valid ip address. Any information would be much appreciated. Thanks Thomas ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem: Snort Logging to database, problem with ip and port number formats Thomas Murtagh (Jul 27)