mysql db(sport and dport data type)

Carter Bullard carter at qosient.com
Sun Jun 24 10:53:17 EDT 2012 

Hey CS Lee,
This request is in line with the need to insert IP addrs as integers, so that  masking and
range selection can be done easily for addresses.  Now you can specify the type on the
RA_FIELD_SPECIFIER line in your rarc file.
    RA_FIELD_SPECIFIER="stime flgs proto saddr::%u"

to print the src IP address as an unsigned int. You can do this with any field, many will
convert based on this directive, some will not (how to convert the label to an int ?)

Ports are defined as 'var char' because someone can insert the string from /etc/services
into the database.  Its just the use of -n that defines whether it will be a string or a number.

Now, with all of that, the basic support to do what you want to do is there, (specifying fields
as different data types), but what is missing is the automatic table generation piece.  

To modify that, all you need to do is modify  ./common/argus_util.h to  something like this:
osiris:clients carter$ diff -c ./include/argus_util.h ./include/argus_util.h.new
*** ./include/argus_util.h	Tue Jun 19 17:47:38 2012
--- ./include/argus_util.h.new	Sun Jun 24 10:43:34 2012
***************
*** 692,700 ****
  #define ARGUSPRINTPROTO			9
     { "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},
  #define ARGUSPRINTSRCPORT		10
!    { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "varchar(10) not null", 0},
  #define ARGUSPRINTDSTPORT		11
!    { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "varchar(10) not null", 0},
  #define ARGUSPRINTSRCTOS		12
     { "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},
  #define ARGUSPRINTDSTTOS		13
--- 692,700 ----
  #define ARGUSPRINTPROTO			9
     { "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},
  #define ARGUSPRINTSRCPORT		10
!    { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "smallint unsigned", 0},
  #define ARGUSPRINTDSTPORT		11
!    { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "smallint unsigned", 0},
  #define ARGUSPRINTSRCTOS		12
     { "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},
  #define ARGUSPRINTDSTTOS		13


Just make sure that you don't print out the port strings when you insert the data.
Even though we print the icmp port numbers as hex values, mysql should read them no problem.

I'll be putting the automatic table schema data type changes in argus-clients-3.0.7
Hope this is helpful !!!!


Carter

On Jun 24, 2012, at 1:17 AM, CS Lee wrote:

> hi Carter,
> 
> The argus database table contains the following -
> 
> | saddr     | varchar(64)           | NO   | PRI | NULL    |       |
> | sport     | varchar(10)           | NO   | PRI | NULL    |       |
> | dir       | varchar(3)            | YES  |     | NULL    |       |
> | daddr     | varchar(64)           | NO   | PRI | NULL    |       |
> | dport     | varchar(10)           | NO   | PRI | NULL    |       |
> 
> Do you think we should use varchar for sport and dport, I know you maybe doing this because icmp sport and dport maybe 0x0000(type and code). 
> 
> So in order to find port scanner, we need to do this(convert the value to integer)
> 
> select saddr,daddr, MIN(CONVERT(dport,SIGNED INTEGER)) AS dport_range1,MAX(CONVERT(dport,SIGNED INTEGER)) AS dport_range2, COUNT(DISTINCT CONVERT(dport,SIGNED INTEGER)) AS unique_ports , COUNT(dport) AS total_detection from tbl_argus WHERE state='CON' AND stime > x AND stime < y group by saddr,daddr ORDER by total_detection DESC limit 0,50;
> 
> Is that possible to change data type for sport and dport(and instead of doing 0x[type][code], can we just use type and code without 0x. I'm not sure if we are using sport and dport for other stuffs. 
> 
> Currently the workaround is doing conversion, I'm not saying this is a problem but rather some thoughts to share.
> 
> Thank you!
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>
> 
> http://geek00l.blogspot.com
> http://defcraft.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120624/eafcdf54/attachment.html>

More information about the argus mailing list