[Snort-users] Questions/Suggestion: Which data to put in the DB?

Geoff the UNIX guy galitz at ...247...
Fri Aug 4 20:48:19 EDT 2000


Comments below...

NOTE: This started out as a simple reply on my part, but turned
into a "thinking out loud" kinda thing.  Feel free to skim and
and comment on things which interest you...

> 
> Thanks to all who have responded to this thread so far. There have
> been some good comments supporting both sides. I have talked with a
> number of people this week on the phone and at the IETF meetings about
> this topic. I am getting the sense that there is no standard (or
> should I say best practice) way to represent an IP address in a
> database. If someone out there knows different let me know. :) As we
> have seen in our discussions there are good reasons to choose either
> four one byte fields or one four byte field.
>

As to the standards issue, while it is difficult to anticipate
the features and future issues that will pop up in this field,
we could always come up with something that fits our needs and
is general enough to promote as a standard, ourselves.

The biggest win around standardizing the database layout
is the ability to intergrate snort with some other application
that handles the analysis or presentation.  With the standard,
JoeBloe v1.0 will work with snort, even if they have never
heard of snort.  This would probably end up being a whole
different project shooting off from the snort project.
 
Specifically, this standard layout would make it easier
to associate snort and arachNIDS IDS numbers with CVE
numbers.  Currently, the system I am working on inhouse
is designed to revolve around the CVE number as one of my
key datapoints.

Anyway... if anyone would like to pursue this as a seperate
issue (in addition to this convservation) I'm game.

> 
> Does anyone have some example code that can SELECT using an arbitrary
> subnet using the current snortdb? I could write some but I just don't
> have time at the moment.
>

I presume you mean code which extracts data from the snortdb
as it currently exists?  Here is a direct (edited) excerpt from 
my app:

---------------------------------------------------
use DBI;
my $GET_RECENT_HITS = "SELECT * FROM event WHERE signature LIKE '% TELNET
%' ";

my $DBTYPE = mysql;             # which DBI modules to load
my $DB1 = snort;                # which database to use
my $DB1USER = snortdude;        # which user to login as

my $GETIP = "SELECT ip_src0, ip_src1, ip_src2, ip_src3, ip_dst0, 
ip_dst1, ip_dst2, ip_dst3 FROM iphdr WHERE cid = ?";

my $dbh = DBI->connect("DBI:$DBTYPE:$DB1",$DB1USER) or 
	die "Couldn't connect to database: " . DBI->errstr;

my $sth = $dbh->prepare($GET_RECENT_HITS) or 
	die "Coudn't prepare statement: " . $dbh->errstr

my @data;
$sth->execute or die "Couldn't execute statement: " . $sth-errstr;
while (@data = $sth->fetchrow_array()) {
        my $sid = $data[0];
        my $cid = $data[1];
        my $sig = $data[2];
        my $tstamp = $data[3];
        my $sth2 = $dbh->prepare($GETIP) or die "duh";
# retrieve the details of the event via the cid
        $sth2->execute($cid);
        my @data2;
        #while (@data2  = $sth2->fetchrow_array()) {
        @data2 = $sth2->fetchrow_array();
# build the IP address from it's consituent parts
        my $SRCIP = "$data2[0].$data2[1].$data2[2].$data2[3]";
        my $DSTIP = "$data2[4].$data2[5].$data2[6].$data2[7]";

....

And the code goes on to extract contact information from
another database (see my previous posting).

Alternatively, this code can be modified to give a breakdown
per targeted subnet by simply referencing:

my $DSTIP = "$data2[0].$data2[1].$data2[2]"; 

or even

my $CLASS_C_SUBNET = "$data2[2]";

Which may be useful in determining if there is a problemed
group of machines (in my case a research group, but more
generally a department in a corporation).  

The type of output one would get from this (hypothetical) use would
be:

------------------------------------------
  SnortAnalyzer v0.0  
  Breakdown by Subnet

  Network                 Hosts with Suspect Traffic

  10.0.1		  4
  10.0.2		  5
  10.0.3		  2
  10.0.4		  17
  10.0.5		  4
  10.0.6		  3


  IDS#			  Network + Number of Incidents

  IDS001		  10.0.1 4
  IDS002		  10.0.2 2
  IDS002		  10.0.3 1

------------------------------------------

This would be an easy and quick way to help pinpoint 
troublespots in a large network (presuming a sane
network topology).  Comments on this welcome...


My main issue is that given this kind of data analysis
breaking the subnets out of the IPHDR section of the snortdb
would require processing in the application as oppossed to a longer 
select statement sent to the database (but would require no
additional processing).  In other words, it would be a 
longer SELECT (at least 4 arguments) versus a short SELECT
and then running the data through awk or C or perl code.


Well... I think I've taken enough of your time.  

Have fun.
-geoff










More information about the Snort-users mailing list