I'm trying to view IPS alerts from snort, the alerts are being inserted into the database via barnyard2. https://github.com/firnsy/barnyard2
When I use SELECT ip_src from iphdr ;
get this back from postgresql;
ip_src
------------
2886730039
2886730039
1815870597
1815870597
3325194354
3325194354
Is it safe to assume that these are some sort of index numbers? It's obviously not in standard IPv4 form.
When the table was created, an index was also created.
CREATE TABLE iphdr ( sid INT4 NOT NULL,
cid INT8 NOT NULL,
ip_src INT8 NOT NULL,
ip_dst INT8 NOT NULL,
ip_ver INT2,
ip_hlen INT2,
ip_tos INT2,
ip_len INT4,
ip_id INT4,
ip_flags INT2,
ip_off INT4,
ip_ttl INT2,
ip_proto INT2 NOT NULL,
ip_csum INT4,
PRIMARY KEY (sid,cid));
CREATE INDEX ip_src_idx ON iphdr (ip_src);
CREATE INDEX ip_dst_idx ON iphdr (ip_dst);
How do I query this table and get the actual IP address from this index?
An obvious solution would be to use the proper datatype, ie the Postgres inet
datatype
CREATE TABLE iphdr ( sid INT4 NOT NULL,
cid INT8 NOT NULL,
ip_src inet NOT NULL,
ip_dst inet NOT NULL,
which will allow you to insert network addresses literally:
insert into iphdr (ip_src, ip_dst) values ('192.168.0.1','192.168.0.2')
If you use this datatype, there are several specialized functions that will help you using them eg in where clauses.
If you have no control over incoming data, these data types can still help you to display the values in a recognizable format:
SELECT '0.0.0.0'::inet + ip_src as ipsrc,'0.0.0.0'::inet + ip_dst as ipdst,
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.