[Snort-users] Barnyard2 output to postgreSQL

beenph beenph at ...11827...
Sat May 24 13:26:10 EDT 2014


You will need to cast the value and use built-in function if you want
them to be displayed in doted notation.

http://www.postgresql.org/docs/9.3/static/datatype-net-types.html
http://www.postgresql.org/docs/9.3/static/typeconv-func.html
cast to cidr
And use the function
http://www.postgresql.org/docs/9.3/static/functions-net.html

ex: select ('0x' || lpad(to_hex(ip_src),8,'0'))::cidr from iphdr limit 1;

But you could also build your own function/proc that would do it, but
in the end you better handle that at the front-end
and build your queries according to host ordered integer for network addresses.



 -elz


On Fri, May 23, 2014 at 9:25 PM, Avery Rozar
<Avery.Rozar at ...16118...> wrote:
> Is something wrong with my ip info from barnyard2? The ip address are not showing up as standard IPv4 as I’d thought.
>
> csdashboard=# select * from iphdr ;
>  sid | cid |   ip_src   |   ip_dst   | ip_ver | ip_hlen | ip_tos | ip_len | ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum
> -----+-----+------------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------
>    1 |   1 | 2886730039 | 2887777037 |      4 |       5 |      0 |    663 |  4063 |        0 |      0 |     64 |        6 |   54285
>    1 |   2 | 2886730039 | 2887777037 |      4 |       5 |      0 |    663 | 28735 |        0 |      0 |     64 |        6 |   29613
>    1 |   3 | 1815870597 | 2887777037 |      4 |       5 |      0 |    419 | 51507 |        0 |      0 |     60 |        6 |   25651
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list