[Snort-devel] Snort full log files need heirarchy
hoagland at ...60...
Sat Mar 23 13:16:13 EST 2002
Actually, David, I'm not seeing the advantage.
At 3:20 PM -0500 3/23/02, David Ford wrote:
>Here is some food for thought.
>Store the directories in two char zero prefixed hexidecimal format.
>For example, 18.104.22.168 would become /d0/b3/3b/01/data
>The advantages of this are:
>a) each directory is always two chars long
>b) a directory listing can be naturally sorted at zero cost. 01-ff
>is natural the entire way v.s. trying to to naturally sort 20 v.s.
Well, you can get uniform-length and natural sorting using 0-padding
to 3 bytes. I'm not sure where that would be particularly
advantageous though in the current context.
>To create the directory string:
>sprintf(string, "%02x/%02x/%02x/%02x/", o1, o2, o3, o4);
Same thing except use %03d.
>c) IPs are already known in hex form, a simple type bitshift &&
>mask|add int<>char is all that's needed to convert either direction
>To get each octet:
>#define o1(value) ((value>>24) & 0xff)
>#define o2(value) ((value>>16) & 0xff)
>#define o3(value) ((value>>8) & 0xff)
>#define o4(value) (value & 0xff)
This is also how you would get the octets if the decimal format.
>The disadvantages of this are:
>a) those who don't understand hex might be confused?
Still would be harder to use even to those that know hex since most
other representation of IPv4 addesses are in decimal.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...60..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-devel