Snort mailing list archives

Previous By Date Next
Previous By Thread Next

unpacking IP in ACID DB - how

From: "Don Murdoch" <djmurd () cox net>
Date: Sun, 1 Aug 2004 21:23:57 -0400

        Hi there ...

        I am attempting to work out some PERL programs that can produce
        the Hee So / Less Gordon analysis format from the ACID database.
        In order to do that I need to extract the IP address from the 
        "acid_event" table.  Apparently the data is stored in an 8 byte
        field.  I haven't a good idea on how to extract it.

        I needed through the opt_database.c code and can't quite follow
        how to get it out using perl (the issue is conversion).

        I see in the ACID PHP code that it uses a PHP function called
        "long2ip" and has some range checks on it.

        I did see the discussion on the ACID page "how IP's are stored"
        but don't have quite enough perl skills to figure out how to
        "shift and bit mask" as they discuss.

        I have found a bunch of articles that discuss the concept, but
        haven't found enough perl code to move forward.

        I assume that others out there have had a need to read the data
        from the ACID db in a non-php language, would appreciate a perl
        code chunk / snippet to help out.

        Thank you all.

--------------------------------------

From the home outbox of ... 

Don Murdoch, CISSP
GCWN, GCUX, GCIA, GCIH,  MCSD, MCSE (NT/2K)
Today's Sun Tzu Quote: "To fight and conquer in all your battles is not
supreme excellence; supreme excellence consists in breaking the enemy's
resistance without fighting." -Sun Tzu 



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: