[Snort-devel] Snort full log files need heirarchy

James Hoagland hoagland at ...60...
Sat Mar 23 13:16:13 EST 2002

Actually, David, I'm not seeing the advantage.

At 3:20 PM -0500 3/23/02, David Ford wrote:
>Here is some food for thought.
>Store the directories in two char zero prefixed hexidecimal format. 
>For example, would become /d0/b3/3b/01/data
>The advantages of this are:
>a) each directory is always two chars long
>b) a directory listing can be naturally sorted at zero cost.  01-ff 
>is natural the entire way v.s. trying to to naturally sort 20 v.s. 

Well, you can get uniform-length and natural sorting using 0-padding 
to 3 bytes.   I'm not sure where that would be particularly 
advantageous though in the current context.

>To create the directory string:
>sprintf(string, "%02x/%02x/%02x/%02x/", o1, o2, o3, o4);

Same thing except use %03d.

>c) IPs are already known in hex form, a simple type bitshift && 
>mask|add int<>char is all that's needed to convert either direction

>To get each octet:
>#define o1(value) ((value>>24) & 0xff)
>#define o2(value) ((value>>16) & 0xff)
>#define o3(value) ((value>>8) & 0xff)
>#define o4(value) (value & 0xff)

This is also how you would get the octets if the decimal format.

>The disadvantages of this are:
>a) those who don't understand hex might be confused?

Still would be harder to use even to those that know hex since most 
other representation of IPv4 addesses are in decimal.


|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...60..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-devel mailing list