[Snort-devel] source/dest tcp/ip address from log

Peter Moore peter at ...799...
Thu Oct 11 06:09:10 EDT 2001


hi,
    i did a search before i posted but here goes.
i'm writing my alerts to a PostgreSQL database as well as the standard alert 
file and it works fine.

what i need to know is how to get the tcp/ip address displaying from the 
database, and i guess which table(s). i assume that the iphdr table is where 
this is stored, but i don't know how to get the address into the standard 
xxx.xxx.xxx.xxx format. (excuse my ignorance)

i wrote a quick'n'dirty C program the essence of which are here:
...
printf("The source value is %s ok\n",   inet_ntoa("3419110822"));
printf("The dest value is %s ok\n",  inet_ntoa("3406943572"));
...
running it i get:
The source value is 56.9.0.128 ok
The dest value is 94.9.0.128 ok

which is not correct. the values from the iphdr database table are:
select * from iphdr where cid = 200;
 sid | cid |   ip_src   |   ip_dst   | ip_ver | ip_hlen | ip_tos | ip_len | 
ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum
-----+-----+------------+------------+--------+---------+--------+--------+--
-----+----------+--------+--------+----------+---------
   4 | 200 | 3419110822 | 3406943572 |      4 |       5 |      0 |    140 | 
41250 |        0 |      0 |    106 |        6 |   34161

the address shows up fine in the alert log file so it is being formatted 
before it is written.

Could someone please help me with this ? Or point me to a URL ? I am writing 
this in C.
if you need any further info, please let me know.
thanks in advance
peter
*******************************************
Peter Moore
Director
Computer Database and Web Solutions Pty Ltd
ACN 070 000 065

peter at ...799...
http://beos.loved.com/
*******************************************





More information about the Snort-devel mailing list