mysql database changes
Carter Bullard
carter at qosient.com
Mon Jun 25 09:16:13 EDT 2012
Hey CS Lee,
Hmmmmm, well that is not how I thought it would go. This patch will enable the print format
extension for all port values. So, " sport::%d dport::%d" should work for icmp as well.
I'm adding this to the main thread of code, if it works for you, so it will be in any new
clients tarfiles that we release. And it will be in argus-clients-3.0.7.1.
Carter
==== //depot/argus-3.0.6/clients/common/argus_util.c#3 - /Volumes/Users/carter/argus/release/argus-3.0.6/clients/common/argus_util.c ====
7202,7205c7202,7203
< switch (proto) {
< case IPPROTO_ICMP:
< sprintf(upstr, "0x%4.4x", port);
< break;
---
> if (parser->RaPrintAlgorithmList[parser->RaPrintIndex] != NULL) {
> char *format = parser->RaPrintAlgorithmList[parser->RaPrintIndex]->format;
7207,7209c7205,7211
< default:
< sprintf(upstr, "%d", port);
< break;
---
> if ((format == NULL) || (strlen(format) == 0)) {
> switch (proto) {
> case IPPROTO_ICMP: format = "0x%4.4x"; break;
> default: format = "%d"; break;
> }
> }
> snprintf (upstr, 128, format, port);
Carter
On Jun 25, 2012, at 12:27 AM, CS Lee wrote:
> hi Carter,
>
> While the changes work correctly for tcp and udp, it seems the hex value doesn't get to convert to decimal for icmp in sport and dport.
>
> Default
> mysql> SELECT stime, saddr, sport, daddr, dport, spkts, dpkts, proto, state FROM tbl_argus;
> +-------------------+-------------+--------+----------------+--------+-------+-------+-------+-------+
> | stime | saddr | sport | daddr | dport | spkts | dpkts | proto | state |
> +-------------------+-------------+--------+----------------+--------+-------+-------+-------+-------+
> | 1340623505.000000 | 192.168.1.3 | 0x0008 | 209.85.175.139 | 0x1723 | 8 | 1 | icmp | ECO |
> +-------------------+-------------+--------+----------------+--------+-------+-------+-------+-------+
>
> After drop the table, and apply the patch
>
> mysql> SELECT stime, saddr, sport, daddr, dport, spkts, dpkts, proto, state FROM tbl_argus;
> +-------------------+------------+-------+------------+-------+-------+-------+-------+-------+
> | stime | saddr | sport | daddr | dport | spkts | dpkts | proto | state |
> +-------------------+------------+-------+------------+-------+-------+-------+-------+-------+
> | 1340623505.000000 | 3232235779 | 0 | 3512053643 | 0 | 8 | 1 | icmp | ECO |
> +-------------------+------------+-------+------------+-------+-------+-------+-------+-------+
> 1 row in set (0.00 sec)
>
> If hex conversion is right, then 0x0008 will be 8 and 0x1723 will be 5923 in decimal. Here's my testing table -
>
> mysql> desc tbl_argus;
> +-----------+-----------------------+------+-----+---------+----------------+
> | Field | Type | Null | Key | Default | Extra |
> +-----------+-----------------------+------+-----+---------+----------------+
> | autoid | int(11) | NO | PRI | NULL | auto_increment |
> | stime | double(18,6) unsigned | NO | | NULL | |
> | ltime | double(18,6) unsigned | NO | | NULL | |
> | dur | double(18,6) | NO | | NULL | |
> | srcid | varchar(64) | YES | | NULL | |
> | flgs | varchar(32) | YES | | NULL | |
> | proto | varchar(16) | NO | | NULL | |
> | saddr | varchar(64) | NO | | NULL | |
> | sport | smallint(5) unsigned | YES | | NULL | |
> | dir | varchar(3) | YES | | NULL | |
> | daddr | varchar(64) | NO | | NULL | |
> | dport | smallint(5) unsigned | YES | | NULL | |
> | pkts | bigint(20) | YES | | NULL | |
> | bytes | bigint(20) | YES | | NULL | |
> | appbytes | bigint(20) | YES | | NULL | |
> | state | varchar(32) | YES | | NULL | |
> | spkts | bigint(20) | YES | | NULL | |
> | dpkts | bigint(20) | YES | | NULL | |
> | sbytes | bigint(20) | YES | | NULL | |
> | dbytes | bigint(20) | YES | | NULL | |
> | sappbytes | bigint(20) | YES | | NULL | |
> | dappbytes | bigint(20) | YES | | NULL | |
> | smaxsz | smallint(5) unsigned | YES | | NULL | |
> | dmaxsz | smallint(5) unsigned | YES | | NULL | |
> | sminsz | smallint(5) unsigned | YES | | NULL | |
> | dminsz | smallint(5) unsigned | YES | | NULL | |
> | smac | varchar(24) | YES | | NULL | |
> | dmac | varchar(24) | YES | | NULL | |
> | sco | varchar(2) | YES | | NULL | |
> | dco | varchar(2) | YES | | NULL | |
> | sas | int(10) unsigned | YES | | NULL | |
> | das | int(10) unsigned | YES | | NULL | |
> | record | blob | YES | | NULL | |
> +-----------+-----------------------+------+-----+---------+----------------+
> 33 rows in set (0.01 sec)
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120625/58c2c397/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120625/58c2c397/attachment.bin>
More information about the argus
mailing list