Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Partial IP searching with ACID?

From: roman () danyliw com
Date: Tue, 14 Aug 2001 18:15:03 US/Eastern
Hi Kevin and Phil,

Funny you should make this request Kevin.  I committed
some code yesterday which adds support for
CIDR masks (e.g. 10.6.0.0/16).  Have you been
with with that?

In reference to searching with 2 Class-Bs, that is
also possible:

__ Source = 10.1.0.0/16 __ AND
__ Source = 10.2.0.0/16 __ __


Update and let me know if you are still having 
problems.  The lack of _real_ 32-bit unsigned 
int bitwise ops in PHP made the code messier than 
it should have been.

Roman


OK, well then I guess this is a feature request for ACID.  My problem is
that I'm monitoring a total of 2 Class B subnets and it would be useful if I
could do partial IP searching to see what IPs on this campus are doing bad
things (like Code Red infected systems).


-----Original Message-----
From: Phil Wood [mailto:cpw () lanl gov]
Sent: Tuesday, August 14, 2001 09:18
To: Kevin Brown
Cc: roman () danyliw com
Subject: Re: [Snort-users] Partial IP searching with ACID?


Opps, me too.

My version of ACID is v0.9.6b11, and I get the same thing. 
(BACKDOOR Q access, BTW)

On Tue, Aug 14, 2001 at 07:53:18AM -0700, Kevin Brown wrote:

I just tried that looking for 129.219.0.0/16 as the source 

and got back 15

results.  The problem is, the results were for 

255.255.255.255 as the

source.


-----Original Message-----
From: Phil Wood [mailto:cpw () lanl gov]
Sent: Monday, August 13, 2001 15:35
To: Kevin Brown
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Partial IP searching with ACID?


I've used cidr representation with success:

  192.168.114.0/24

As long as I remembered to set the /source/dest/both/ flag 
and '=' option.

On Mon, Aug 13, 2001 at 02:41:50PM -0700, Kevin Brown wrote:

I'm currently running Snort 1.8b7, schema 103 in a Mysql 

db, Acid .9.6b14

with php 4.0.6.  Is it possible to do searching with just 

partial IPs? (e.g

search for 224.226.x.x).  I'm trying to find a list of 

infeceted hosts on my

network, but when I just enter a partial IP on the search 

page I get an

error:

Database ERROR:You have an error in your SQL syntax near ') 

)' at line 1




END OF LINE...


Begin Geek Code;


$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c

^=(


$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72,@z=(64,
72,$a^=12*($_%

16


-2?0:$m&17)),$b^=$_%64?12:0,@z)[$_%8]}(16..271);if((@a=unx"C*"
,$_)[20]&48){$

h


=5;$_=unxb24,join"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV
;s/...$/1$&/;$



d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&(
$d>>12^$d>>4^



$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<
9,$_=$t[$_]^



(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}print+x"C*",@a}';s/x/pa
ck+/g;eval

-- 
Phil Wood, cpw () lanl gov



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: