mysql db(sport and dport data type)

CS Lee geek00l at gmail.com
Sun Jun 24 11:46:46 EDT 2012 

hi Carter,

I will put a quick test and see how it goes, the saddr and daddr trick does
work so I try to make changes to argus_util.h and see how it goes. With all
those data type changes, mysql partition can work more efficiently.

Thank you!

On Sun, Jun 24, 2012 at 10:53 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey CS Lee,
> This request is in line with the need to insert IP addrs as integers, so
> that  masking and
> range selection can be done easily for addresses.  Now you can specify the
> type on the
> RA_FIELD_SPECIFIER line in your rarc file.
>     RA_FIELD_SPECIFIER="stime flgs proto saddr::%u"
>
> to print the src IP address as an unsigned int. You can do this with any
> field, many will
> convert based on this directive, some will not (how to convert the label
> to an int ?)
>
> Ports are defined as 'var char' because someone can insert the string from
> /etc/services
> into the database.  Its just the use of -n that defines whether it will be
> a string or a number.
>
> Now, with all of that, the basic support to do what you want to do is
> there, (specifying fields
> as different data types), but what is missing is the automatic table
> generation piece.
>
> To modify that, all you need to do is modify  ./common/argus_util.h to
>  something like this:
> osiris:clients carter$ diff -c ./include/argus_util.h
> ./include/argus_util.h.new
> *** ./include/argus_util.h Tue Jun 19 17:47:38 2012
> --- ./include/argus_util.h.new Sun Jun 24 10:43:34 2012
> ***************
> *** 692,700 ****
>   #define ARGUSPRINTPROTO 9
>      { "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto,
> ArgusPrintProtoLabel, "varchar(16) not null", 0},
>   #define ARGUSPRINTSRCPORT 10
> !    { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort,
> ArgusPrintSrcPortLabel, "varchar(10) not null", 0},
>   #define ARGUSPRINTDSTPORT 11
> !    { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort,
> ArgusPrintDstPortLabel, "varchar(10) not null", 0},
>   #define ARGUSPRINTSRCTOS 12
>      { "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos,
> ArgusPrintSrcTosLabel, "tinyint unsigned", 0},
>   #define ARGUSPRINTDSTTOS 13
> --- 692,700 ----
>   #define ARGUSPRINTPROTO 9
>      { "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto,
> ArgusPrintProtoLabel, "varchar(16) not null", 0},
>   #define ARGUSPRINTSRCPORT 10
> !    { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort,
> ArgusPrintSrcPortLabel, "smallint unsigned", 0},
>   #define ARGUSPRINTDSTPORT 11
> !    { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort,
> ArgusPrintDstPortLabel, "smallint unsigned", 0},
>   #define ARGUSPRINTSRCTOS 12
>      { "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos,
> ArgusPrintSrcTosLabel, "tinyint unsigned", 0},
>   #define ARGUSPRINTDSTTOS 13
>
>
> Just make sure that you don't print out the port strings when you insert
> the data.
> Even though we print the icmp port numbers as hex values, mysql should
> read them no problem.
>
> I'll be putting the automatic table schema data type changes in
> argus-clients-3.0.7
> Hope this is helpful !!!!
>
>
> Carter
>
> On Jun 24, 2012, at 1:17 AM, CS Lee wrote:
>
> hi Carter,
>
> The argus database table contains the following -
>
> | saddr     | varchar(64)           | NO   | PRI | NULL    |       |
> | sport     | varchar(10)           | NO   | PRI | NULL    |       |
> | dir       | varchar(3)            | YES  |     | NULL    |       |
> | daddr     | varchar(64)           | NO   | PRI | NULL    |       |
> | dport     | varchar(10)           | NO   | PRI | NULL    |       |
>
> Do you think we should use varchar for sport and dport, I know you maybe
> doing this because icmp sport and dport maybe 0x0000(type and code).
>
> So in order to find port scanner, we need to do this(convert the value to
> integer)
>
> select saddr,daddr, MIN(CONVERT(dport,SIGNED INTEGER)) AS
> dport_range1,MAX(CONVERT(dport,SIGNED INTEGER)) AS dport_range2,
> COUNT(DISTINCT CONVERT(dport,SIGNED INTEGER)) AS unique_ports ,
> COUNT(dport) AS total_detection from tbl_argus WHERE state='CON' AND stime
> > x AND stime < y group by saddr,daddr ORDER by total_detection DESC limit
> 0,50;
>
> Is that possible to change data type for sport and dport(and instead of
> doing 0x[type][code], can we just use type and code without 0x. I'm not
> sure if we are using sport and dport for other stuffs.
>
> Currently the workaround is doing conversion, I'm not saying this is a
> problem but rather some thoughts to share.
>
> Thank you!
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120624/5c317bec/attachment.html>

More information about the argus mailing list