[Snort-devel] SQL query to find anomalies?
mike at ...31...
Tue Sep 5 10:42:02 EDT 2000
Let's say that we add this table to the snort database:
CREATE TABLE stdtraffic (
id int unsigned DEFAULT '0' NOT NULL,
srv_ip int unsigned not null,
srv_mask int unsigned not null,
srv_proto tinyint unsigned not null,
srv_port tinyint unsigned,
cli_ip int unsigned,
cli_mask int unsigned
It should contain information about what we regard as legal traffic. My
problem is to create the SQL query to find the sid/cid for all packages
that is not defined as legal.
srv_proto must be compared to ip_proto.
srv_port must be compared to tcp_port or udp_port.
cli_ip and cli_mask defines legal clients
Anyone with good SQL knowledge who sees the solution to my problem? :-)
There's too much beauty upon this earth for lonely men to bear.
-- Richard Le Gallienne
More information about the Snort-devel