[Snort-users] Problem: Snort Logging to database, problem with ip and port number formats

Thomas Murtagh t_murtagh22 at ...12185...
Tue Jul 27 04:19:18 EDT 2004


I have set up snort and configured it to log to a
MySQL database, this appears to be working fine. Data
is being logged as expected. I have noticed however
that within tables "iphdr" and "tcphdr", ip addresses
(ip_src & ip_dst) and port numbers (tcp_sport &
tcp_dport) are not being logged as expected. I have
used the create_mysql script to create this database,
however the above mentioned fields are logging ip
addresses as integer (int) numbers and port numbers as
small integers (smallint).

When using the command "describe iphdr", the field
type for both ip_src and ip_dest is an int(10)

When using the command "describe tcphdr", the field
type for both tcp_sport and tcp_dport is also an
int(10) unsigned.

The following is some sample data contained within the

Table: iphdr

| sid | cid  | ip_src     | ip_dst     | ip_ver |
|   1 | 1000 | 3232245761 | 3232245900 |      4 |

AS YOU CAN SEE THE ABOVE ip_src and ip_dest are values
not valid IP addresses:

Table: tcphdr

| sid | cid  | tcp_sport | tcp_dport | tcp_seq |
|   1 | 1000 |     59832 |       116 |       0 |

AS YOU CAN SEE THE ABOVE tcp_sport and tcp_dport
values are not valid port numbers

Can anyone please advise me on how to get this to
become valid data. I'm hoping to program and
application in C/C++ which will require to read this
information, is this data in a valid ip address.

Any information would be much appreciated.


Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 

More information about the Snort-users mailing list