Snort mailing list archives

RE: Snort DB query question.

From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Thu, 24 Oct 2002 23:43:05 -0500


To easily select on it, you could also convert the upper and lower
limits of that block into INT and do it that way.  There are tools out
there for most languages that will take IPs and return INTS.  This
should also allow for cross-functionality to DBs that don't have
inet_ntoa/aton type functions (Oracle, postgres...)

-----Original Message-----
From: Michael Boman [mailto:michael () ayeka dyndns org] 
Sent: Thursday, October 24, 2002 9:50 PM
To: larosa, vjay
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Snort DB query question.


On Thu, Oct 24, 2002 at 10:22:57PM -0400, larosa, vjay wrote:

Hello,

I have a question that has been bugging me since I started using the
database output plugin
with snort. Why are the IP addresses stored in the DB in the 32 bit

format?

What is the advantage?


I would guess it's speed - it stores the IP addresess in the same format
they are recived from the wire. Doing additional processing would slow
snort down, and when you analyze the data you won't notice the 1/100
sec delay, but snort would.

I know there must be something I don't know. I know the SELECT
inet_ntoa(ip_src) ...... trick to convert 
the IP's back to human readable format, but what if I want to search

for a

CDIR block like 10.10.0.0/16? 
How would this be done? Is it possible?


SELECT .... 
WHERE inet_ntoa(iphdr.ip_src) > "10.10.0.0" AND 
        inet_ntoa(iphdr.ip_src) < "10.10.255.255"

or

SELECT ....
WHERE iphdr.ip_src > inet_aton("10.10.0.0") AND
        iphdr.ip_src < inet_aton("10.10.255.255")


I think the last example is faster, haven't tried it (wrong OS, not at
work and so on...). And I am sure there are short-cuts for it as well,
check out the documentation for your SQL database (which you failed
to specify).

Best regards
 Michael Boman

-- 
Michael Boman
Student, Husband, Geek. Not necessary in that order though.



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort DB query question. larosa, vjay (Oct 24)
- Re: Snort DB query question. Michael Boman (Oct 24)
- <Possible follow-ups>
- RE: Snort DB query question. larosa, vjay (Oct 24)
- RE: Snort DB query question. Kreimendahl, Chad J (Oct 24)
- Re: Snort DB query question. WTWork (Oct 24)