[Snort-users] Barnyard2 output to postgreSQL

Avery Rozar Avery.Rozar at ...16118...
Sat May 24 13:48:33 EDT 2014


Thanks. I was able to use inet to bring them to dot0decimal notation, similar to what it looks like you where explaining for MySQL.

SELECT '0.0.0.0'::inet + ip_src as ipsrc,'0.0.0.0'::inet + ip_dst as ipdst from iphdr;

From: Y M <snort at ...15979...<mailto:snort at ...15979...>>
Date: Saturday, May 24, 2014 at 10:41 AM
To: Avery Rozar <avery.rozar at ...16118...<mailto:avery.rozar at ...16118...>>, snort-users <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: RE: [Snort-users] Barnyard2 output to postgreSQL

> Is this due to HEX encoding?

Databases do not have a dot-decimal notation data type to store IP addresses, instead they are usually stored as unsigned integers into the database for achieving small storage footprint and better performance (as opposed to strings). In MySQL the conversion between the two notations can be done through the built-in functions INET_NTOA() and INET_ATON(). I do not have specific experience with PostgresSQL, but it may have similar functions that you can use in your query. There are online conversion tools as well that you can test with.

Hope this helps
YM

> From: Avery.Rozar at ...16118...<mailto:Avery.Rozar at ...16118...>
> To: Avery.Rozar at ...16118...<mailto:Avery.Rozar at ...16118...>; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
> Date: Sat, 24 May 2014 01:42:12 +0000
> Subject: Re: [Snort-users] Barnyard2 output to postgreSQL
>
> Is this due to HEX encoding?
>
> On 5/23/14, 9:25 PM, "Avery Rozar" <Avery.Rozar at ...16118...<mailto:Avery.Rozar at ...16118...>> wrote:
>
> >Is something wrong with my ip info from barnyard2? The ip address are not
> >showing up as standard IPv4 as I¹d thought.
> >
> >csdashboard=# select * from iphdr ;
> > sid | cid | ip_src | ip_dst | ip_ver | ip_hlen | ip_tos | ip_len
> >| ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum
> >-----+-----+------------+------------+--------+---------+--------+--------
> >+-------+----------+--------+--------+----------+---------
> > 1 | 1 | 2886730039 | 2887777037 | 4 | 5 | 0 | 663
> >| 4063 | 0 | 0 | 64 | 6 | 54285
> > 1 | 2 | 2886730039 | 2887777037 | 4 | 5 | 0 | 663
> >| 28735 | 0 | 0 | 64 | 6 | 29613
> > 1 | 3 | 1815870597 | 2887777037 | 4 | 5 | 0 | 419
> >| 51507 | 0 | 0 | 60 | 6 | 25651
> >
> >--------------------------------------------------------------------------
> >----
> >"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> >Instantly run your Selenium tests across 300+ browser/OS combos.
> >Get unparalleled scalability from the best Selenium testing platform
> >available
> >Simple to use. Nothing to install. Get started now for free."
> >http://p.sf.net/sfu/SauceLabs
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> >Please visit http://blog.snort.org to stay current on all the latest
> >Snort news!
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list