[Snort-users] mysql iphdr ip addressing scheme?

roman at ...438... roman at ...438...
Thu Nov 1 10:51:28 EST 2001


Not exactly valid CIDR notation, but lets investigate.

x.177.88.0/20 is the following in binary:

xxxxxxxx 10110001 1011xxxx xxxxxxxx

(where 'x' can be either 0 or 1)

The following would be the mask to match such a network:

00000000 10110001 10110000 00000000 = 11644928 = mask

ip AND mask = mask (then we have a match)

SELECT ip_src FROM iphdr WHERE ((ip_src & 11644928) = 11644928)

The representation of the ip address as an unsigned 32-bit integer was
done to facilitate exactly this type of operation.

Roman

On 1 Nov 2001, Greg Sarsons wrote:

> Okay lets make this a bit more complicated.
>
> Lets say I want to get all the addresses from x.117.88.0 thru to
> x.177.95.255
>
> which is x.177.88.0/20
>
> Is there a straight forward way to just match ips just on all or just
> one of those subnets.
>
> Greg
>
> On Thu, 2001-11-01 at 10:31, Jason Straight wrote:
> > Actually I got another answer also, mysql has just that function
> > select inet_ntoa(ipsrc) from iphdr;
> >
> >
> > On Thursday 01 November 2001 10:12, Phil Wood wrote:
> > > You'll probably get a lot of these types of responses.  I had that question
> > > recently from one of the network staff here and thought I'd code it to
> > > death.
> > >
> > > It's a perl script called int-to-ip which takes input in one of two ways:
> > >
> > >   int-to-ip number [another_number]*
> > >   int-to-ip < list_of_numbers_file
> > >
> > > Later,
> > >
> > > On Thu, Nov 01, 2001 at 12:36:29AM -0500, Jason Straight wrote:
> > > > I'm confused. Snort on mysql has an ip addy that's nothing more than an
> > > > integer. How do I get a dotted quad IP# from:
> > > >
> > > > 208436227 ?
> > > >
> > > > Thanks in advance.
> > >
>


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list