[Snort-users] Snort DB query question.

larosa, vjay larosa_vjay at ...3331...
Thu Oct 24 20:57:02 EDT 2002


Alright,

Here is a quick little hack I figured out by looking at somebody else's
code.

#!/usr/local/bin/perl --

use Socket ;

$ip     = "$ARGV[0]" ;
$mask   = "$ARGV[1]" ;

$bit = unpack('N', inet_aton($ip)) ;

$ip2 = $bit + ((2 **(32 - $mask)) - 1);
$diff   = $ip2 - $bit ;

print "Thirty Two Bit Address: $bit\n" ;
print "Thirty Two Bit Address: $ip2\n" ;
print "Difference: $diff\n" ;

Here is an example of the output,

% ./convert-ip.pl 128.221.0.0 16
Thirty Two Bit Address: 2161967104
Thirty Two Bit Address: 2162032639
Difference: 65535
% 

So know you can select the IP's in between these ranges. I knew
that there must be a way. Once again Gogle is your best friend!
It just took some time to find what I was looking for.

vjl


-----Original Message-----
From: Michael Boman [mailto:michael at ...3137...]
Sent: Thursday, October 24, 2002 10:50 PM
To: larosa, vjay
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Snort DB query question.


On Thu, Oct 24, 2002 at 10:22:57PM -0400, larosa, vjay wrote:
> Hello,
> 
> I have a question that has been bugging me since I started using the
> database output plugin
> with snort. Why are the IP addresses stored in the DB in the 32 bit
format?
> What is the advantage?

I would guess it's speed - it stores the IP addresess in the same format
they are recived from the wire. Doing additional processing would slow
snort down, and when you analyze the data you won't notice the 1/100
sec delay, but snort would.

> I know there must be something I don't know. I know the SELECT
> inet_ntoa(ip_src) ...... trick to convert 
> the IP's back to human readable format, but what if I want to search for a
> CDIR block like 10.10.0.0/16? 
> How would this be done? Is it possible?

SELECT .... 
WHERE inet_ntoa(iphdr.ip_src) > "10.10.0.0" AND 
	inet_ntoa(iphdr.ip_src) < "10.10.255.255"

or

SELECT ....
WHERE iphdr.ip_src > inet_aton("10.10.0.0") AND
	iphdr.ip_src < inet_aton("10.10.255.255")


I think the last example is faster, haven't tried it (wrong OS, not at
work and so on...). And I am sure there are short-cuts for it as well,
check out the documentation for your SQL database (which you failed
to specify).

Best regards
 Michael Boman

-- 
Michael Boman
Student, Husband, Geek. Not necessary in that order though.




More information about the Snort-users mailing list