Snort mailing list archives
Re: Barnyard2 output to postgreSQL
From: Avery Rozar <Avery.Rozar () i-techsupport com>
Date: Sat, 24 May 2014 17:48:33 +0000
Thanks. I was able to use inet to bring them to dot0decimal notation, similar to what it looks like you where explaining for MySQL. SELECT '0.0.0.0'::inet + ip_src as ipsrc,'0.0.0.0'::inet + ip_dst as ipdst from iphdr; From: Y M <snort () outlook com<mailto:snort () outlook com>> Date: Saturday, May 24, 2014 at 10:41 AM To: Avery Rozar <avery.rozar () i-techsupport com<mailto:avery.rozar () i-techsupport com>>, snort-users <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: RE: [Snort-users] Barnyard2 output to postgreSQL
Is this due to HEX encoding?
Databases do not have a dot-decimal notation data type to store IP addresses, instead they are usually stored as unsigned integers into the database for achieving small storage footprint and better performance (as opposed to strings). In MySQL the conversion between the two notations can be done through the built-in functions INET_NTOA() and INET_ATON(). I do not have specific experience with PostgresSQL, but it may have similar functions that you can use in your query. There are online conversion tools as well that you can test with. Hope this helps YM
From: Avery.Rozar () i-techsupport com<mailto:Avery.Rozar () i-techsupport com> To: Avery.Rozar () i-techsupport com<mailto:Avery.Rozar () i-techsupport com>; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Date: Sat, 24 May 2014 01:42:12 +0000 Subject: Re: [Snort-users] Barnyard2 output to postgreSQL Is this due to HEX encoding? On 5/23/14, 9:25 PM, "Avery Rozar" <Avery.Rozar () i-techsupport com<mailto:Avery.Rozar () i-techsupport com>> wrote:Is something wrong with my ip info from barnyard2? The ip address are not showing up as standard IPv4 as I¹d thought. csdashboard=# select * from iphdr ; sid | cid | ip_src | ip_dst | ip_ver | ip_hlen | ip_tos | ip_len | ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum -----+-----+------------+------------+--------+---------+--------+-------- +-------+----------+--------+--------+----------+--------- 1 | 1 | 2886730039 | 2887777037 | 4 | 5 | 0 | 663 | 4063 | 0 | 0 | 64 | 6 | 54285 1 | 2 | 2886730039 | 2887777037 | 4 | 5 | 0 | 663 | 28735 | 0 | 0 | 64 | 6 | 29613 1 | 3 | 1815870597 | 2887777037 | 4 | 5 | 0 | 419 | 51507 | 0 | 0 | 60 | 6 | 25651 -------------------------------------------------------------------------- ---- "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Barnyard2 output to postgreSQL Avery Rozar (May 23)
- Re: Barnyard2 output to postgreSQL beenph (May 24)
- <Possible follow-ups>
- Re: Barnyard2 output to postgreSQL Avery Rozar (May 23)
- Re: Barnyard2 output to postgreSQL Y M (May 24)
- Re: Barnyard2 output to postgreSQL Avery Rozar (May 24)
- Re: Barnyard2 output to postgreSQL Y M (May 24)