[Snort-users] unpacking IP in ACID DB - how
djmurd at ...5190...
Sun Aug 1 18:21:25 EDT 2004
Hi there ...
I am attempting to work out some PERL programs that can produce
the Hee So / Less Gordon analysis format from the ACID database.
In order to do that I need to extract the IP address from the
"acid_event" table. Apparently the data is stored in an 8 byte
field. I haven't a good idea on how to extract it.
I needed through the opt_database.c code and can't quite follow
how to get it out using perl (the issue is conversion).
I see in the ACID PHP code that it uses a PHP function called
"long2ip" and has some range checks on it.
I did see the discussion on the ACID page "how IP's are stored"
but don't have quite enough perl skills to figure out how to
"shift and bit mask" as they discuss.
I have found a bunch of articles that discuss the concept, but
haven't found enough perl code to move forward.
I assume that others out there have had a need to read the data
from the ACID db in a non-php language, would appreciate a perl
code chunk / snippet to help out.
Thank you all.
More information about the Snort-users