[Snort-devel] source/dest tcp/ip address from log

Peter Moore peter at ...799...
Thu Oct 11 06:09:10 EDT 2001

    i did a search before i posted but here goes.
i'm writing my alerts to a PostgreSQL database as well as the standard alert 
file and it works fine.

what i need to know is how to get the tcp/ip address displaying from the 
database, and i guess which table(s). i assume that the iphdr table is where 
this is stored, but i don't know how to get the address into the standard 
xxx.xxx.xxx.xxx format. (excuse my ignorance)

i wrote a quick'n'dirty C program the essence of which are here:
printf("The source value is %s ok\n",   inet_ntoa("3419110822"));
printf("The dest value is %s ok\n",  inet_ntoa("3406943572"));
running it i get:
The source value is ok
The dest value is ok

which is not correct. the values from the iphdr database table are:
select * from iphdr where cid = 200;
 sid | cid |   ip_src   |   ip_dst   | ip_ver | ip_hlen | ip_tos | ip_len | 
ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum
   4 | 200 | 3419110822 | 3406943572 |      4 |       5 |      0 |    140 | 
41250 |        0 |      0 |    106 |        6 |   34161

the address shows up fine in the alert log file so it is being formatted 
before it is written.

Could someone please help me with this ? Or point me to a URL ? I am writing 
this in C.
if you need any further info, please let me know.
thanks in advance
Peter Moore
Computer Database and Web Solutions Pty Ltd
ACN 070 000 065

peter at ...799...

More information about the Snort-devel mailing list