[Snort-devel] source/dest tcp/ip address from log

Peter Moore peter at ...799...
Thu Oct 11 06:42:06 EDT 2001


yes!! that was it.
thanks a lot for that. i couldn't find the documentation on how the database 
output module was storing the value and was patiently going through the code.

so you've saved me a lot of reading :) although it was a good read though.

in case you're wondering what i am doing, i am writing a GUI display for BeOS 
5 to display the logged alert data from out of a PostgreSQL database all on 
BeOS. I am aiming to produce something like DEMARC, but in an app rather than 
HTML, although a HTML version might be considered later.

<shameless_plug>
my BeOS "server" is monitoring several servers using my port of Snort for 
BeOS available here:
http://www.bebits.com/app/2490
</shameless_plug>

Thanks again for your help
regards
peter


>Are the octets reversed?  I.e., are you expecting 128.0.9.56
>and 128.0.9.94?  If so, then you need to ntohl() the value before
>inet_ntoa()'ing it.
>
>--
>Todd Lewis
>tlewis at ...255...
>
>On Thu, 11 Oct 2001, Peter Moore wrote:
>
>> hi,
>>     i did a search before i posted but here goes.
>> i'm writing my alerts to a PostgreSQL database as well as the standard 
>alert 
>> file and it works fine.
>> 
>> what i need to know is how to get the tcp/ip address displaying from the 
>> database, and i guess which table(s). i assume that the iphdr table is 
>where 
>> this is stored, but i don't know how to get the address into the standard 
>> xxx.xxx.xxx.xxx format. (excuse my ignorance)
>> 
>> i wrote a quick'n'dirty C program the essence of which are here:
>> ...
>> printf("The source value is %s ok\n",   inet_ntoa("3419110822"));
>> printf("The dest value is %s ok\n",  inet_ntoa("3406943572"));
>> ...
>> running it i get:
>> The source value is 56.9.0.128 ok
>> The dest value is 94.9.0.128 ok
>> 
>> which is not correct. the values from the iphdr database table are:
>> select * from iphdr where cid = 200;
>>  sid | cid |   ip_src   |   ip_dst   | ip_ver | ip_hlen | ip_tos | ip_len 
|
> 
>> ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum
>> -----+-----+------------+------------+--------+---------+--------+--------
+
>--
>> -----+----------+--------+--------+----------+---------
>>    4 | 200 | 3419110822 | 3406943572 |      4 |       5 |      0 |    140 
|
> 
>> 41250 |        0 |      0 |    106 |        6 |   34161
>> 
>> the address shows up fine in the alert log file so it is being formatted 
>> before it is written.
>> 
>> Could someone please help me with this ? Or point me to a URL ? I am 
>writing 
>> this in C.
>> if you need any further info, please let me know.
>> thanks in advance
>> peter
>> *******************************************
>> Peter Moore
>> Director
>> Computer Database and Web Solutions Pty Ltd
>> ACN 070 000 065
>> 
>> peter at ...799...
>> http://beos.loved.com/
>> *******************************************
>> 
>> 
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> 
>





More information about the Snort-devel mailing list