Snort mailing list archives
RE: Partial IP searching with ACID?
From: roman () danyliw com
Date: Tue, 14 Aug 2001 18:15:03 US/Eastern
Hi Kevin and Phil, Funny you should make this request Kevin. I committed some code yesterday which adds support for CIDR masks (e.g. 10.6.0.0/16). Have you been with with that? In reference to searching with 2 Class-Bs, that is also possible: __ Source = 10.1.0.0/16 __ AND __ Source = 10.2.0.0/16 __ __ Update and let me know if you are still having problems. The lack of _real_ 32-bit unsigned int bitwise ops in PHP made the code messier than it should have been. Roman
OK, well then I guess this is a feature request for ACID. My problem is that I'm monitoring a total of 2 Class B subnets and it would be useful if I could do partial IP searching to see what IPs on this campus are doing bad things (like Code Red infected systems).-----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Tuesday, August 14, 2001 09:18 To: Kevin Brown Cc: roman () danyliw com Subject: Re: [Snort-users] Partial IP searching with ACID? Opps, me too. My version of ACID is v0.9.6b11, and I get the same thing. (BACKDOOR Q access, BTW) On Tue, Aug 14, 2001 at 07:53:18AM -0700, Kevin Brown wrote:I just tried that looking for 129.219.0.0/16 as the sourceand got back 15results. The problem is, the results were for255.255.255.255 as thesource.-----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Monday, August 13, 2001 15:35 To: Kevin Brown Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Partial IP searching with ACID? I've used cidr representation with success: 192.168.114.0/24 As long as I remembered to set the /source/dest/both/ flag and '=' option. On Mon, Aug 13, 2001 at 02:41:50PM -0700, Kevin Brown wrote:I'm currently running Snort 1.8b7, schema 103 in a Mysqldb, Acid .9.6b14with php 4.0.6. Is it possible to do searching with justpartial IPs? (e.gsearch for 224.226.x.x). I'm trying to find a list ofinfeceted hosts on mynetwork, but when I just enter a partial IP on the searchpage I get anerror: Database ERROR:You have an error in your SQL syntax near '))' at line 1END OF LINE... Begin Geek Code;$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map {$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72,@z=(64, 72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)[$_%8]}(16..271);if((@a=unx"C*" ,$_)[20]&48){$h=5;$_=unxb24,join"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV ;s/...$/1$&/;$d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&( $d>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<< 9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}print+x"C*",@a}';s/x/pa ck+/g;eval -- Phil Wood, cpw () lanl gov_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Partial IP searching with ACID? Kevin Brown (Aug 13)
- Re: Partial IP searching with ACID? Phil Wood (Aug 13)
- <Possible follow-ups>
- RE: Partial IP searching with ACID? Kevin Brown (Aug 14)
- RE: Partial IP searching with ACID? Kevin Brown (Aug 14)
- RE: Partial IP searching with ACID? roman (Aug 14)