Re: correlating sys_read data to "source" ip

["troy d. straszheim" <troy () resophonic com>]

On Thu, Aug 17, 2006 at 10:31:40AM -0400, Camilo Viecco wrote:
> So steps:
> 1. find the process you are interested in: select sensor_id,process_id
> from sys_read where ****YOUR_CRITERIA_HERE***
> 2. find the sockets related to such process... (maybe you are lucky):
> select sensor_id,argus_id from sys_socket where process_id= (your
> previous result) 
> 3. if there are sockets, you can use the argus_id to query the argus
> table for the information (you can actually mix all this in just one
> large query if you are using a more recent version on mysql)
> 4. if unsuccessful AND you know that the activity of interest is related
> to a  network connection
>     find the parent process id: select * from process_tree where
> child_process_id=your_current_process_id_of_interest
> 5  use this new information go to step 2... (iterate until you get
> tired/or find the answer/or find to many answers)

Exactly what I was looking for.  Thanks a million.  (And a late thanks
for the tip on DB purging).

-troy