mysql db(sport and dport data type)

Carter Bullard carter at qosient.com
Sun Jun 24 12:38:32 EDT 2012 

Be sure and drop any existing tables that you may write into, to avoid writing into an old schema.

Carter


On Jun 24, 2012, at 11:46 AM, CS Lee <geek00l at gmail.com> wrote:

> hi Carter,
> 
> I will put a quick test and see how it goes, the saddr and daddr trick does work so I try to make changes to argus_util.h and see how it goes. With all those data type changes, mysql partition can work more efficiently.
> 
> Thank you!
> 
> On Sun, Jun 24, 2012 at 10:53 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey CS Lee,
> This request is in line with the need to insert IP addrs as integers, so that  masking and
> range selection can be done easily for addresses.  Now you can specify the type on the
> RA_FIELD_SPECIFIER line in your rarc file.
>     RA_FIELD_SPECIFIER="stime flgs proto saddr::%u"
> 
> to print the src IP address as an unsigned int. You can do this with any field, many will
> convert based on this directive, some will not (how to convert the label to an int ?)
> 
> Ports are defined as 'var char' because someone can insert the string from /etc/services
> into the database.  Its just the use of -n that defines whether it will be a string or a number.
> 
> Now, with all of that, the basic support to do what you want to do is there, (specifying fields
> as different data types), but what is missing is the automatic table generation piece.  
> 
> To modify that, all you need to do is modify  ./common/argus_util.h to  something like this:
> osiris:clients carter$ diff -c ./include/argus_util.h ./include/argus_util.h.new
> *** ./include/argus_util.h	Tue Jun 19 17:47:38 2012
> --- ./include/argus_util.h.new	Sun Jun 24 10:43:34 2012
> ***************
> *** 692,700 ****
>   #define ARGUSPRINTPROTO			9
>      { "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},
>   #define ARGUSPRINTSRCPORT		10
> !    { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "varchar(10) not null", 0},
>   #define ARGUSPRINTDSTPORT		11
> !    { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "varchar(10) not null", 0},
>   #define ARGUSPRINTSRCTOS		12
>      { "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},
>   #define ARGUSPRINTDSTTOS		13
> --- 692,700 ----
>   #define ARGUSPRINTPROTO			9
>      { "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},
>   #define ARGUSPRINTSRCPORT		10
> !    { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "smallint unsigned", 0},
>   #define ARGUSPRINTDSTPORT		11
> !    { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "smallint unsigned", 0},
>   #define ARGUSPRINTSRCTOS		12
>      { "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},
>   #define ARGUSPRINTDSTTOS		13
> 
> 
> Just make sure that you don't print out the port strings when you insert the data.
> Even though we print the icmp port numbers as hex values, mysql should read them no problem.
> 
> I'll be putting the automatic table schema data type changes in argus-clients-3.0.7
> Hope this is helpful !!!!
> 
> 
> Carter
> 
> On Jun 24, 2012, at 1:17 AM, CS Lee wrote:
> 
>> hi Carter,
>> 
>> The argus database table contains the following -
>> 
>> | saddr     | varchar(64)           | NO   | PRI | NULL    |       |
>> | sport     | varchar(10)           | NO   | PRI | NULL    |       |
>> | dir       | varchar(3)            | YES  |     | NULL    |       |
>> | daddr     | varchar(64)           | NO   | PRI | NULL    |       |
>> | dport     | varchar(10)           | NO   | PRI | NULL    |       |
>> 
>> Do you think we should use varchar for sport and dport, I know you maybe doing this because icmp sport and dport maybe 0x0000(type and code). 
>> 
>> So in order to find port scanner, we need to do this(convert the value to integer)
>> 
>> select saddr,daddr, MIN(CONVERT(dport,SIGNED INTEGER)) AS dport_range1,MAX(CONVERT(dport,SIGNED INTEGER)) AS dport_range2, COUNT(DISTINCT CONVERT(dport,SIGNED INTEGER)) AS unique_ports , COUNT(dport) AS total_detection from tbl_argus WHERE state='CON' AND stime > x AND stime < y group by saddr,daddr ORDER by total_detection DESC limit 0,50;
>> 
>> Is that possible to change data type for sport and dport(and instead of doing 0x[type][code], can we just use type and code without 0x. I'm not sure if we are using sport and dport for other stuffs. 
>> 
>> Currently the workaround is doing conversion, I'm not saying this is a problem but rather some thoughts to share.
>> 
>> Thank you!
>> 
>> -- 
>> Best Regards,
>> 
>> CS Lee<geek00L[at]gmail.com>
>> 
>> http://geek00l.blogspot.com
>> http://defcraft.net
> 
> 
> 
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>
> 
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120624/7b3fa1ec/attachment.html>

More information about the argus mailing list