[Snort-devel] Snort full log files need heirarchy

James Hoagland hoagland at ...60...
Sat Mar 23 13:16:13 EST 2002


Actually, David, I'm not seeing the advantage.

At 3:20 PM -0500 3/23/02, David Ford wrote:
>Here is some food for thought.
>
>Store the directories in two char zero prefixed hexidecimal format. 
>For example, 208.179.59.1 would become /d0/b3/3b/01/data
>
>The advantages of this are:
>
>a) each directory is always two chars long
>b) a directory listing can be naturally sorted at zero cost.  01-ff 
>is natural the entire way v.s. trying to to naturally sort 20 v.s. 
>199.

Well, you can get uniform-length and natural sorting using 0-padding 
to 3 bytes.   I'm not sure where that would be particularly 
advantageous though in the current context.

>To create the directory string:
>sprintf(string, "%02x/%02x/%02x/%02x/", o1, o2, o3, o4);

Same thing except use %03d.

>c) IPs are already known in hex form, a simple type bitshift && 
>mask|add int<>char is all that's needed to convert either direction

>To get each octet:
>#define o1(value) ((value>>24) & 0xff)
>#define o2(value) ((value>>16) & 0xff)
>#define o3(value) ((value>>8) & 0xff)
>#define o4(value) (value & 0xff)

This is also how you would get the octets if the decimal format.

>
>The disadvantages of this are:
>
>a) those who don't understand hex might be confused?

Still would be harder to use even to those that know hex since most 
other representation of IPv4 addesses are in decimal.

Regards,

   Jim
-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...60..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-devel mailing list