[Snort-users] Problem: Snort Logging to database, problem with ip and port number formats

sekure sekure at ...11827...
Tue Jul 27 05:30:10 EDT 2004


Thomas,

Since an IP address in the form we are used to seeing it is not an
integer, something has to be done to allow it to be stored as an
integer in the DB.  What snort does is convert it to dotless notation,
using an old trick: First convert each octet to hex, concatenate them
into an 8 digit hex number, convert it to decimal.  So if we do that
in reverse for the source IP above:

3232245761 is C0A82801 in hex.  Take two digits at a time and convert
them to decimal: 0xC0 -> 192, 0xA8 ->168, 0x28 -> 40, 0x01 -> 1.  Put
them together -> 192.168.40.1.  Does that look like a valid source
address?

However, as far as sport and dport go, they are stored in their
original form, so they should accurately represent what snort is
capturing.

HTH,

On Tue, 27 Jul 2004 12:18:44 +0100 (BST), Thomas Murtagh
<t_murtagh22 at ...12185...> wrote:
> Hi,
> 
> I have set up snort and configured it to log to a
> MySQL database, this appears to be working fine. Data
> is being logged as expected. I have noticed however
> that within tables "iphdr" and "tcphdr", ip addresses
> (ip_src & ip_dst) and port numbers (tcp_sport &
> tcp_dport) are not being logged as expected. I have
> used the create_mysql script to create this database,
> however the above mentioned fields are logging ip
> addresses as integer (int) numbers and port numbers as
> small integers (smallint).
> 
> When using the command "describe iphdr", the field
> type for both ip_src and ip_dest is an int(10)
> unsigned.
> 
> When using the command "describe tcphdr", the field
> type for both tcp_sport and tcp_dport is also an
> int(10) unsigned.
> 
> The following is some sample data contained within the
> datase:
> 
> Table: iphdr
> 
> +-----+------+------------+------------+--------+
> ----+----------+--------+--------+----------+----
> | sid | cid  | ip_src     | ip_dst     | ip_ver |
> +-----+------+------------+------------+--------+
> ----+----------+--------+--------+----------+----
> |   1 | 1000 | 3232245761 | 3232245900 |      4 |
> 
> AS YOU CAN SEE THE ABOVE ip_src and ip_dest are values
> not valid IP addresses:
> 
> Table: tcphdr
> 
> +-----+------+-----------+-----------+---------+
> ---------+---------+----------+---------+
> | sid | cid  | tcp_sport | tcp_dport | tcp_seq |
> +-----+------+-----------+-----------+---------+
> ---------+---------+----------+---------+
> |   1 | 1000 |     59832 |       116 |       0 |
> 
> AS YOU CAN SEE THE ABOVE tcp_sport and tcp_dport
> values are not valid port numbers
> 
> Can anyone please advise me on how to get this to
> become valid data. I'm hoping to program and
> application in C/C++ which will require to read this
> information, is this data in a valid ip address.
> 
> Any information would be much appreciated.
> 
> Thanks
> Thomas
> 
> ________________________________________________________________________
> Yahoo! Messenger - Communicate instantly..."Ping"
> your friends today! Download Messenger Now
> http://uk.messenger.yahoo.com/download/index.html
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list