Argus Development mailing list - Real Time Flow Monitor (RTFM) for comprehensive IP network traffic auditing

headers

CS Lee | 24 Jun 2012 07:17

mysql db(sport and dport data type)

hi Carter,

The argus database table contains the following -

| dir | varchar(3) | YES | | NULL | |

Do you think we should use varchar for sport and dport, I know you maybe doing this because icmp sport and dport maybe 0x0000(type and code).

So in order to find port scanner, we need to do this(convert the value to integer)

select saddr,daddr, MIN(CONVERT(dport,SIGNED INTEGER)) AS dport_range1,MAX(CONVERT(dport,SIGNED INTEGER)) AS dport_range2, COUNT(DISTINCT CONVERT(dport,SIGNED INTEGER)) AS unique_ports , COUNT(dport) AS total_detection from tbl_argus WHERE state='CON' AND stime > x AND stime < y group by saddr,daddr ORDER by total_detection DESC limit 0,50;

Is that possible to change data type for sport and dport(and instead of doing 0x[type][code], can we just use type and code without 0x. I'm not sure if we are using sport and dport for other stuffs.

Currently the workaround is doing conversion, I'm not saying this is a problem but rather some thoughts to share.

Thank you!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

headers

Carter Bullard | 24 Jun 2012 16:53

Re: mysql db(sport and dport data type)

Hey CS Lee,

This request is in line with the need to insert IP addrs as integers, so that masking and

range selection can be done easily for addresses. Now you can specify the type on the

RA_FIELD_SPECIFIER line in your rarc file.

RA_FIELD_SPECIFIER="stime flgs proto saddr::%u"

to print the src IP address as an unsigned int. You can do this with any field, many will

convert based on this directive, some will not (how to convert the label to an int ?)

Ports are defined as 'var char' because someone can insert the string from /etc/services

into the database. Its just the use of -n that defines whether it will be a string or a number.

Now, with all of that, the basic support to do what you want to do is there, (specifying fields

as different data types), but what is missing is the automatic table generation piece.

To modify that, all you need to do is modify ./common/argus_util.h to something like this:

osiris:clients carter$ diff -c ./include/argus_util.h ./include/argus_util.h.new

*** ./include/argus_util.h Tue Jun 19 17:47:38 2012

--- ./include/argus_util.h.new Sun Jun 24 10:43:34 2012

***************

*** 692,700 ****

#define ARGUSPRINTPROTO 9

{ "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},

#define ARGUSPRINTSRCPORT 10

! { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "varchar(10) not null", 0},

#define ARGUSPRINTDSTPORT 11

! { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "varchar(10) not null", 0},

#define ARGUSPRINTSRCTOS 12

{ "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},

#define ARGUSPRINTDSTTOS 13

--- 692,700 ----

#define ARGUSPRINTPROTO 9

{ "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},

#define ARGUSPRINTSRCPORT 10

! { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "smallint unsigned", 0},

#define ARGUSPRINTDSTPORT 11

! { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "smallint unsigned", 0},

#define ARGUSPRINTSRCTOS 12

{ "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},

#define ARGUSPRINTDSTTOS 13

Just make sure that you don't print out the port strings when you insert the data.

Even though we print the icmp port numbers as hex values, mysql should read them no problem.

I'll be putting the automatic table schema data type changes in argus-clients-3.0.7

Hope this is helpful !!!!

Carter

On Jun 24, 2012, at 1:17 AM, CS Lee wrote:

hi Carter,

The argus database table contains the following -

| saddr | varchar(64) | NO | PRI | NULL | |

| sport | varchar(10) | NO | PRI | NULL | |

| dir | varchar(3) | YES | | NULL | |

| daddr | varchar(64) | NO | PRI | NULL | |

| dport | varchar(10) | NO | PRI | NULL | |

Do you think we should use varchar for sport and dport, I know you maybe doing this because icmp sport and dport maybe 0x0000(type and code).

So in order to find port scanner, we need to do this(convert the value to integer)

select saddr,daddr, MIN(CONVERT(dport,SIGNED INTEGER)) AS dport_range1,MAX(CONVERT(dport,SIGNED INTEGER)) AS dport_range2, COUNT(DISTINCT CONVERT(dport,SIGNED INTEGER)) AS unique_ports , COUNT(dport) AS total_detection from tbl_argus WHERE state='CON' AND stime > x AND stime < y group by saddr,daddr ORDER by total_detection DESC limit 0,50;

Is that possible to change data type for sport and dport(and instead of doing 0x[type][code], can we just use type and code without 0x. I'm not sure if we are using sport and dport for other stuffs.

Currently the workaround is doing conversion, I'm not saying this is a problem but rather some thoughts to share.

Thank you!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

headers

CS Lee | 24 Jun 2012 17:46

Re: mysql db(sport and dport data type)

hi Carter,

I will put a quick test and see how it goes, the saddr and daddr trick does work so I try to make changes to argus_util.h and see how it goes. With all those data type changes, mysql partition can work more efficiently.

Thank you!

On Sun, Jun 24, 2012 at 10:53 PM, Carter Bullard <carter <at> qosient.com> wrote:

Hey CS Lee,
This request is in line with the need to insert IP addrs as integers, so that masking and

range selection can be done easily for addresses. Now you can specify the type on the

RA_FIELD_SPECIFIER line in your rarc file.

RA_FIELD_SPECIFIER="stime flgs proto saddr::%u"

to print the src IP address as an unsigned int. You can do this with any field, many will

convert based on this directive, some will not (how to convert the label to an int ?)

Ports are defined as 'var char' because someone can insert the string from /etc/services

into the database. Its just the use of -n that defines whether it will be a string or a number.

Now, with all of that, the basic support to do what you want to do is there, (specifying fields

as different data types), but what is missing is the automatic table generation piece.

To modify that, all you need to do is modify ./common/argus_util.h to something like this:

osiris:clients carter$ diff -c ./include/argus_util.h ./include/argus_util.h.new

*** ./include/argus_util.h Tue Jun 19 17:47:38 2012

--- ./include/argus_util.h.new Sun Jun 24 10:43:34 2012

***************

*** 692,700 ****

#define ARGUSPRINTPROTO 9

{ "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},

#define ARGUSPRINTSRCPORT 10

! { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "varchar(10) not null", 0},

#define ARGUSPRINTDSTPORT 11

! { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "varchar(10) not null", 0},

#define ARGUSPRINTSRCTOS 12

{ "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},

#define ARGUSPRINTDSTTOS 13

--- 692,700 ----

#define ARGUSPRINTPROTO 9

{ "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},

#define ARGUSPRINTSRCPORT 10

! { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "smallint unsigned", 0},

#define ARGUSPRINTDSTPORT 11

! { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "smallint unsigned", 0},

#define ARGUSPRINTSRCTOS 12

{ "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},

#define ARGUSPRINTDSTTOS 13

Just make sure that you don't print out the port strings when you insert the data.

Even though we print the icmp port numbers as hex values, mysql should read them no problem.

I'll be putting the automatic table schema data type changes in argus-clients-3.0.7

Hope this is helpful !!!!

Carter

On Jun 24, 2012, at 1:17 AM, CS Lee wrote:

hi Carter,

The argus database table contains the following -

| saddr | varchar(64) | NO | PRI | NULL | |

| sport | varchar(10) | NO | PRI | NULL | |

| dir | varchar(3) | YES | | NULL | |

| daddr | varchar(64) | NO | PRI | NULL | |

| dport | varchar(10) | NO | PRI | NULL | |

Do you think we should use varchar for sport and dport, I know you maybe doing this because icmp sport and dport maybe 0x0000(type and code).

So in order to find port scanner, we need to do this(convert the value to integer)

select saddr,daddr, MIN(CONVERT(dport,SIGNED INTEGER)) AS dport_range1,MAX(CONVERT(dport,SIGNED INTEGER)) AS dport_range2, COUNT(DISTINCT CONVERT(dport,SIGNED INTEGER)) AS unique_ports , COUNT(dport) AS total_detection from tbl_argus WHERE state='CON' AND stime > x AND stime < y group by saddr,daddr ORDER by total_detection DESC limit 0,50;

Is that possible to change data type for sport and dport(and instead of doing 0x[type][code], can we just use type and code without 0x. I'm not sure if we are using sport and dport for other stuffs.

Currently the workaround is doing conversion, I'm not saying this is a problem but rather some thoughts to share.

Thank you!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

headers

Carter Bullard | 24 Jun 2012 18:38

Re: mysql db(sport and dport data type)

Be sure and drop any existing tables that you may write into, to avoid writing into an old schema.

Carter

On Jun 24, 2012, at 11:46 AM, CS Lee <geek00l <at> gmail.com> wrote:

hi Carter,

I will put a quick test and see how it goes, the saddr and daddr trick does work so I try to make changes to argus_util.h and see how it goes. With all those data type changes, mysql partition can work more efficiently.

Thank you!

On Sun, Jun 24, 2012 at 10:53 PM, Carter Bullard <carter <at> qosient.com> wrote:
Hey CS Lee,
This request is in line with the need to insert IP addrs as integers, so that masking and

range selection can be done easily for addresses. Now you can specify the type on the

RA_FIELD_SPECIFIER line in your rarc file.

RA_FIELD_SPECIFIER="stime flgs proto saddr::%u"

to print the src IP address as an unsigned int. You can do this with any field, many will

convert based on this directive, some will not (how to convert the label to an int ?)

Ports are defined as 'var char' because someone can insert the string from /etc/services

into the database. Its just the use of -n that defines whether it will be a string or a number.

Now, with all of that, the basic support to do what you want to do is there, (specifying fields

as different data types), but what is missing is the automatic table generation piece.

To modify that, all you need to do is modify ./common/argus_util.h to something like this:

osiris:clients carter$ diff -c ./include/argus_util.h ./include/argus_util.h.new

*** ./include/argus_util.h Tue Jun 19 17:47:38 2012

--- ./include/argus_util.h.new Sun Jun 24 10:43:34 2012

***************

*** 692,700 ****

#define ARGUSPRINTPROTO 9

{ "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},

#define ARGUSPRINTSRCPORT 10

! { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "varchar(10) not null", 0},

#define ARGUSPRINTDSTPORT 11

! { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "varchar(10) not null", 0},

#define ARGUSPRINTSRCTOS 12

{ "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},

#define ARGUSPRINTDSTTOS 13

--- 692,700 ----

#define ARGUSPRINTPROTO 9

{ "proto", "", 6 , 1, 0, ARGUSPRINTPROTO, ArgusPrintProto, ArgusPrintProtoLabel, "varchar(16) not null", 0},

#define ARGUSPRINTSRCPORT 10

! { "sport", "", 6 , 1, 0, ARGUSPRINTSRCPORT, ArgusPrintSrcPort, ArgusPrintSrcPortLabel, "smallint unsigned", 0},

#define ARGUSPRINTDSTPORT 11

! { "dport", "", 6 , 1, 0, ARGUSPRINTDSTPORT, ArgusPrintDstPort, ArgusPrintDstPortLabel, "smallint unsigned", 0},

#define ARGUSPRINTSRCTOS 12

{ "stos", "", 5 , 1, 0, ARGUSPRINTSRCTOS, ArgusPrintSrcTos, ArgusPrintSrcTosLabel, "tinyint unsigned", 0},

#define ARGUSPRINTDSTTOS 13

Just make sure that you don't print out the port strings when you insert the data.

Even though we print the icmp port numbers as hex values, mysql should read them no problem.

I'll be putting the automatic table schema data type changes in argus-clients-3.0.7

Hope this is helpful !!!!

Carter

On Jun 24, 2012, at 1:17 AM, CS Lee wrote:

hi Carter,

The argus database table contains the following -

| saddr | varchar(64) | NO | PRI | NULL | |

| sport | varchar(10) | NO | PRI | NULL | |

| dir | varchar(3) | YES | | NULL | |

| daddr | varchar(64) | NO | PRI | NULL | |

| dport | varchar(10) | NO | PRI | NULL | |

Do you think we should use varchar for sport and dport, I know you maybe doing this because icmp sport and dport maybe 0x0000(type and code).

So in order to find port scanner, we need to do this(convert the value to integer)

select saddr,daddr, MIN(CONVERT(dport,SIGNED INTEGER)) AS dport_range1,MAX(CONVERT(dport,SIGNED INTEGER)) AS dport_range2, COUNT(DISTINCT CONVERT(dport,SIGNED INTEGER)) AS unique_ports , COUNT(dport) AS total_detection from tbl_argus WHERE state='CON' AND stime > x AND stime < y group by saddr,daddr ORDER by total_detection DESC limit 0,50;

Is that possible to change data type for sport and dport(and instead of doing 0x[type][code], can we just use type and code without 0x. I'm not sure if we are using sport and dport for other stuffs.

Currently the workaround is doing conversion, I'm not saying this is a problem but rather some thoughts to share.

Thank you!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net