[Snort-devel] SQL query to find anomalies?

Mike Andersen mike at ...31...
Tue Sep 5 10:42:02 EDT 2000

Let's say that we add this table to the snort database:

	CREATE TABLE stdtraffic (
	  id         int unsigned DEFAULT '0' NOT NULL,
	  srv_ip     int unsigned not null,
	  srv_mask   int unsigned not null,
	  srv_proto  tinyint unsigned not null,
	  srv_port   tinyint unsigned,
	  cli_ip     int unsigned,
	  cli_mask   int unsigned

It should contain information about what we regard as legal traffic.  My
problem is to create the SQL query to find the sid/cid for all packages
that is not defined as legal.

	srv_proto must be compared to ip_proto.
	srv_port must be compared to tcp_port or udp_port.
	cli_ip and cli_mask defines legal clients

Anyone with good SQL knowledge who sees the solution to my problem? :-)

There's too much beauty upon this earth for lonely men to bear.
		-- Richard Le Gallienne

More information about the Snort-devel mailing list