[Snort-devel] Snort full log files need heirarchy

David Ford david+cert at ...1022...
Sat Mar 23 13:42:03 EST 2002


> Well, you can get uniform-length and natural sorting using 0-padding 
> to 3 bytes.   I'm not sure where that would be particularly 
> advantageous though in the current context. 


2 v.s. 3, small but with a large data stream it comes at 33% off.

>> c) IPs are already known in hex form, a simple type bitshift && 
>> mask|add int<>char is all that's needed to convert either direction
>
>> To get each octet:
>> #define o1(value) ((value>>24) & 0xff)
>> #define o2(value) ((value>>16) & 0xff)
>> #define o3(value) ((value>>8) & 0xff)
>> #define o4(value) (value & 0xff)
>
>
> This is also how you would get the octets if the decimal format. 

In the computer, a number is a number.  There are 8 bits per byte which 
has no base distinction. (yes some computers have a byte that isn't 8 bits.)

Basically I was just providing simple macros for clarity.  I wasn't 
making any distiction between hex v.s. decimal.  There is none for the 
macros.  Apparently providing the macros was a mistake, I've been 
interpreted as a newbie.

> Still would be harder to use even to those that know hex since most 
> other representation of IPv4 addesses are in decimal.


I find reading numbers as 002 090 210 093 harder to distinguish than 
hex.  And hex harder than non zero prefixed decimal.

However when IPv6 is widespread, we don't have much choice, it's 
blatantly hex formatted. Maintaining a static directory entry and path 
length is quite preferable to a moving mixture of 
fe80::240:5ff:fe23:33da for example.  Again consider the 33% savings.

David






More information about the Snort-devel mailing list