[Snort-devel] source/dest tcp/ip address from log

tlewis at ...255... tlewis at ...255...
Thu Oct 11 06:35:18 EDT 2001


Oh, and I think that under postgres you can cast the value into their
ipv4_addr (or whatever) data type, obviating the need for the C program.
I had asked Jed why he didn't use postgres's native ipv4 addr support,
and he said it was to retain a common schema across all databases; this
is an example of where that change would help.

--
Todd Lewis
tlewis at ...255...

On Thu, 11 Oct 2001, Peter Moore wrote:

> hi,
>     i did a search before i posted but here goes.
> i'm writing my alerts to a PostgreSQL database as well as the standard alert 
> file and it works fine.
> 
> what i need to know is how to get the tcp/ip address displaying from the 
> database, and i guess which table(s). i assume that the iphdr table is where 
> this is stored, but i don't know how to get the address into the standard 
> xxx.xxx.xxx.xxx format. (excuse my ignorance)
> 
> i wrote a quick'n'dirty C program the essence of which are here:
> ...
> printf("The source value is %s ok\n",   inet_ntoa("3419110822"));
> printf("The dest value is %s ok\n",  inet_ntoa("3406943572"));
> ...
> running it i get:
> The source value is 56.9.0.128 ok
> The dest value is 94.9.0.128 ok
> 
> which is not correct. the values from the iphdr database table are:
> select * from iphdr where cid = 200;
>  sid | cid |   ip_src   |   ip_dst   | ip_ver | ip_hlen | ip_tos | ip_len | 
> ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum
> -----+-----+------------+------------+--------+---------+--------+--------+--
> -----+----------+--------+--------+----------+---------
>    4 | 200 | 3419110822 | 3406943572 |      4 |       5 |      0 |    140 | 
> 41250 |        0 |      0 |    106 |        6 |   34161
> 
> the address shows up fine in the alert log file so it is being formatted 
> before it is written.
> 
> Could someone please help me with this ? Or point me to a URL ? I am writing 
> this in C.
> if you need any further info, please let me know.
> thanks in advance
> peter
> *******************************************
> Peter Moore
> Director
> Computer Database and Web Solutions Pty Ltd
> ACN 070 000 065
> 
> peter at ...799...
> http://beos.loved.com/
> *******************************************
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list