[Snort-users] unpacking IP in ACID DB - how

Don Murdoch djmurd at ...5190...
Sun Aug 1 18:21:25 EDT 2004

	Hi there ...

	I am attempting to work out some PERL programs that can produce
	the Hee So / Less Gordon analysis format from the ACID database.
	In order to do that I need to extract the IP address from the 
	"acid_event" table.  Apparently the data is stored in an 8 byte
	field.  I haven't a good idea on how to extract it.

	I needed through the opt_database.c code and can't quite follow
	how to get it out using perl (the issue is conversion).

	I see in the ACID PHP code that it uses a PHP function called
	"long2ip" and has some range checks on it.

	I did see the discussion on the ACID page "how IP's are stored"
	but don't have quite enough perl skills to figure out how to
	"shift and bit mask" as they discuss.

	I have found a bunch of articles that discuss the concept, but
	haven't found enough perl code to move forward.

	I assume that others out there have had a need to read the data
	from the ACID db in a non-php language, would appreciate a perl
	code chunk / snippet to help out.

	Thank you all.


More information about the Snort-users mailing list