[Snort-users] Questions/Suggestion: Which data to put in the DB?
jed at ...153...
Fri Aug 11 17:26:44 EDT 2000
This message is regarding the representation of IP addresses in the
snort database structure.
> [Jed Pickel]
> | Does anyone have some example code that can SELECT using an
> | arbitrary subnet using the current snortdb? I could write some but
> | I just don't have time at the moment.
> Just an example to illustrate how I see it done with 32 bits addresses:
> $Netaddr = IP address AND network mask
> $Bcast = IP address AND NOT network mask
> And then:
> Select * from iphdr where ip_src > $Netaddr and ip_src < $Bcast;
> This would be a very flexible, and might reduce the load on both the
> database and the application.
Mike... You make an excellent point here. Arguments made with code and
examples are always more convincing. I plan to do some testing on my
own before I introduce 1 4byte IP address into code and database
structure. If am am happy with my tests we will have both the old way
and new way for a while in the development version. Then we will try
and get consensus from db application developers and the best one
wins. I want to try and work through this whole cycle before the next
More information about the Snort-users