mysql db(sport and dport data type)
CS Lee
geek00l at gmail.com
Sun Jun 24 01:17:33 EDT 2012
hi Carter,
The argus database table contains the following -
| saddr | varchar(64) | NO | PRI | NULL | |
| sport | varchar(10) | NO | PRI | NULL | |
| dir | varchar(3) | YES | | NULL | |
| daddr | varchar(64) | NO | PRI | NULL | |
| dport | varchar(10) | NO | PRI | NULL | |
Do you think we should use varchar for sport and dport, I know you maybe
doing this because icmp sport and dport maybe 0x0000(type and code).
So in order to find port scanner, we need to do this(convert the value to
integer)
select saddr,daddr, MIN(CONVERT(dport,SIGNED INTEGER)) AS
dport_range1,MAX(CONVERT(dport,SIGNED INTEGER)) AS dport_range2,
COUNT(DISTINCT CONVERT(dport,SIGNED INTEGER)) AS unique_ports ,
COUNT(dport) AS total_detection from tbl_argus WHERE state='CON' AND stime
> x AND stime < y group by saddr,daddr ORDER by total_detection DESC limit
0,50;
Is that possible to change data type for sport and dport(and instead of
doing 0x[type][code], can we just use type and code without 0x. I'm not
sure if we are using sport and dport for other stuffs.
Currently the workaround is doing conversion, I'm not saying this is a
problem but rather some thoughts to share.
Thank you!
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120624/21612fde/attachment.html>
More information about the argus
mailing list