mysql database changes - new patch

CS Lee geek00l at gmail.com
Mon Jun 25 09:48:58 EDT 2012 

hi Carter,

I tested the previous patch and it works, so I'm testing this one now.

On Mon, Jun 25, 2012 at 9:27 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey CS Lee,
> My bad, I needed to change a few lines, as the conditional shouldn't
> define the scope !!!!!
> Here is a new patch that should work a bit better:
>
> ==== //depot/argus-3.0.6/clients/common/argus_util.c#3 -
> /Volumes/Users/carter/argus/release/argus-3.0.6/clients/common/argus_util.c
> ====
> 7200c7200
> <       char upbuf[32], *upstr = upbuf;
> ---
> >       char upbuf[32], *upstr = upbuf, *format = NULL;
> 7202,7205c7202,7203
> <       switch (proto) {
> <          case IPPROTO_ICMP:
> <             sprintf(upstr, "0x%4.4x", port);
> <             break;
> ---
> >       if (parser->RaPrintAlgorithmList[parser->RaPrintIndex] != NULL)
> >          format =
> parser->RaPrintAlgorithmList[parser->RaPrintIndex]->format;
> 7207,7209c7205,7209
> <          default:
> <             sprintf(upstr, "%d", port);
> <             break;
> ---
> >       if ((format == NULL) || (strlen(format) == 0)) {
> >          switch (proto) {
> >             case IPPROTO_ICMP: format = "0x%4.4x"; break;
> >             default: format = "%d"; break;
> >          }
> 7211a7212,7213
> >       snprintf (upstr, 128, format, port);
> >
>
> Carter
>
> On Jun 25, 2012, at 9:16 AM, Carter Bullard wrote:
>
> Hey CS Lee,
> Hmmmmm, well that is not how I thought it would go.  This patch will
> enable the print format
> extension for all port values.   So, " sport::%d dport::%d" should work
> for icmp as well.
>
> I'm adding this to the main thread of code, if it works for you, so it
> will be in any new
> clients tarfiles that we release.  And it will be in argus-clients-3.0.7.1.
>
> Carter
>
> ==== //depot/argus-3.0.6/clients/common/argus_util.c#3 -
> /Volumes/Users/carter/argus/release/argus-3.0.6/clients/common/argus_util.c
> ====
> 7202,7205c7202,7203
> <       switch (proto) {
> <          case IPPROTO_ICMP:
> <             sprintf(upstr, "0x%4.4x", port);
> <             break;
> ---
> >       if (parser->RaPrintAlgorithmList[parser->RaPrintIndex] != NULL) {
> >          char *format =
> parser->RaPrintAlgorithmList[parser->RaPrintIndex]->format;
> 7207,7209c7205,7211
> <          default:
> <             sprintf(upstr, "%d", port);
> <             break;
> ---
> >          if ((format == NULL) || (strlen(format) == 0)) {
> >             switch (proto) {
> >                case IPPROTO_ICMP: format = "0x%4.4x"; break;
> >                default: format = "%d"; break;
> >             }
> >          }
> >          snprintf (upstr, 128, format, port);
>
> Carter
>
> On Jun 25, 2012, at 12:27 AM, CS Lee wrote:
>
> hi Carter,
>
> While the changes work correctly for tcp and udp, it seems the hex value
> doesn't get to convert to decimal for icmp in sport and dport.
>
> Default
> mysql> SELECT stime, saddr, sport, daddr, dport, spkts, dpkts, proto,
> state FROM tbl_argus;
>
> +-------------------+-------------+--------+----------------+--------+-------+-------+-------+-------+
> | stime             | saddr       | sport  | daddr          | dport  |
> spkts | dpkts | proto | state |
>
> +-------------------+-------------+--------+----------------+--------+-------+-------+-------+-------+
> | 1340623505.000000 | 192.168.1.3 | 0x0008 | 209.85.175.139 | 0x1723 |
> 8 |     1 | icmp  | ECO   |
>
> +-------------------+-------------+--------+----------------+--------+-------+-------+-------+-------+
>
> After drop the table, and apply the patch
>
> mysql> SELECT stime, saddr, sport, daddr, dport, spkts, dpkts, proto,
> state FROM tbl_argus;
>
> +-------------------+------------+-------+------------+-------+-------+-------+-------+-------+
> | stime             | saddr      | sport | daddr      | dport | spkts |
> dpkts | proto | state |
>
> +-------------------+------------+-------+------------+-------+-------+-------+-------+-------+
> | 1340623505.000000 | 3232235779 |     0 | 3512053643 |     0 |     8 |
>   1 | icmp  | ECO   |
>
> +-------------------+------------+-------+------------+-------+-------+-------+-------+-------+
> 1 row in set (0.00 sec)
>
> If hex conversion is right, then 0x0008 will be 8 and 0x1723 will be 5923
> in decimal. Here's my testing table -
>
> mysql> desc tbl_argus;
>
> +-----------+-----------------------+------+-----+---------+----------------+
> | Field     | Type                  | Null | Key | Default | Extra
>  |
>
> +-----------+-----------------------+------+-----+---------+----------------+
> | autoid    | int(11)               | NO   | PRI | NULL    |
> auto_increment |
> | stime     | double(18,6) unsigned | NO   |     | NULL    |
>  |
> | ltime     | double(18,6) unsigned | NO   |     | NULL    |
>  |
> | dur       | double(18,6)          | NO   |     | NULL    |
>  |
> | srcid     | varchar(64)           | YES  |     | NULL    |
>  |
> | flgs      | varchar(32)           | YES  |     | NULL    |
>  |
> | proto     | varchar(16)           | NO   |     | NULL    |
>  |
> | saddr     | varchar(64)           | NO   |     | NULL    |
>  |
> | sport     | smallint(5) unsigned  | YES  |     | NULL    |
>  |
> | dir       | varchar(3)            | YES  |     | NULL    |
>  |
> | daddr     | varchar(64)           | NO   |     | NULL    |
>  |
> | dport     | smallint(5) unsigned  | YES  |     | NULL    |
>  |
> | pkts      | bigint(20)            | YES  |     | NULL    |
>  |
> | bytes     | bigint(20)            | YES  |     | NULL    |
>  |
> | appbytes  | bigint(20)            | YES  |     | NULL    |
>  |
> | state     | varchar(32)           | YES  |     | NULL    |
>  |
> | spkts     | bigint(20)            | YES  |     | NULL    |
>  |
> | dpkts     | bigint(20)            | YES  |     | NULL    |
>  |
> | sbytes    | bigint(20)            | YES  |     | NULL    |
>  |
> | dbytes    | bigint(20)            | YES  |     | NULL    |
>  |
> | sappbytes | bigint(20)            | YES  |     | NULL    |
>  |
> | dappbytes | bigint(20)            | YES  |     | NULL    |
>  |
> | smaxsz    | smallint(5) unsigned  | YES  |     | NULL    |
>  |
> | dmaxsz    | smallint(5) unsigned  | YES  |     | NULL    |
>  |
> | sminsz    | smallint(5) unsigned  | YES  |     | NULL    |
>  |
> | dminsz    | smallint(5) unsigned  | YES  |     | NULL    |
>  |
> | smac      | varchar(24)           | YES  |     | NULL    |
>  |
> | dmac      | varchar(24)           | YES  |     | NULL    |
>  |
> | sco       | varchar(2)            | YES  |     | NULL    |
>  |
> | dco       | varchar(2)            | YES  |     | NULL    |
>  |
> | sas       | int(10) unsigned      | YES  |     | NULL    |
>  |
> | das       | int(10) unsigned      | YES  |     | NULL    |
>  |
> | record    | blob                  | YES  |     | NULL    |
>  |
>
> +-----------+-----------------------+------+-----+---------+----------------+
> 33 rows in set (0.01 sec)
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120625/336000b8/attachment.html>

More information about the argus mailing list