Re: [Sguil-devel] RcvSsnFile () behaviour
Status: Beta
Brought to you by:
bamm
From: Bamm V. <ba...@sa...> - 2003-02-19 20:37:05
|
----- Forwarded message from Bamm Visscher <ba...@sa...> ----- Date: Wed, 19 Feb 2003 14:19:10 -0600 From: Bamm Visscher <ba...@sa...> To: Jeffrey Lim <jef...@se...> Subject: Re: [Sguil-devel] RcvSsnFile () behaviour Reply-To: ba...@sa... User-Agent: Mutt/1.2.5.1i In-Reply-To: <200...@se...>; from jef...@se... on Thu, Feb 20, 2003 at 03:34:21AM +0800 I really need to start adding comments to my code now that (other) people are actually looking at it ;) The idea here was to take the stats that stream4 produces and load them into the database along with a unique ID (xid) and Sensor ID (sid). Stream4 (snort) can provide the xid (we use time in milliseconds) but it has no idea what the sid is. I thought about providing the sid as an argument to stream4, but the sid is generated _after_ BY is ran for the first time on a specific sensor, thus we could run into problems as new sensors are added. Since sguild loads the session data, and has access to the DB I went with the idea to prepend the sensor id to session data prior to sguild loading it into the DB. Having sguild write to a file first, then create another (tmp) file, probably isn't the most efficient way to accomplish my goal, but I have a habit of doing things the way I know it will work first and then making the process more efficient second. I expect these functions will change some in the future. Here is the bit of code you wanted clarified. I added the comments to the original code too.: set inFileID [open $DB_OUTFILE r] set outFileID [open $DB_OUTFILE.tmp w] # Use i to keep track of how many lines we are loading into the database for DEBUG. set i 0 # Load the entire file into memory (read $inFileID), then create a list # delimited by \n. Finally loop through each 'line', prepend the sensorID (sid) # to it, and append the new line to the tmp file. foreach line [split [read $inFileID] \n] { if {$line != ""} {puts $outFileID "$sensorID|$line"; incr i} } close $inFileID close $outFileID Bammkkkk On Thu, Feb 20, 2003 at 03:34:21AM +0800, Jeffrey Lim wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've been looking at this function, and it beats me why it does what it does, > and was hoping somebody could clarify this: > > basically, the input session file is read, and then lines are written to a > tempfile, consisting of lines "$sensorID|i", with 'i' incrementing. Finally, > this temp file is then loaded to the database. > > Given this file format, and the database schema, it would appear that things > do not fit. Have a look at the sessions (the table to which the tempfile is > loaded to) schema (from scripts/create_sguildb.sql) > > CREATE TABLE sessions ( > sid INT UNSIGNED NOT NULL, > xid BIGINT UNSIGNED NOT NULL, > start_time datetime NOT NULL, > end_time datetime NOT NULL, > src_ip INT UNSIGNED NOT NULL, > dst_ip INT UNSIGNED NOT NULL, > src_port INT UNSIGNED NOT NULL, > dst_port INT UNSIGNED NOT NULL, > src_pckts BIGINT UNSIGNED NOT NULL, > dst_pckts BIGINT UNSIGNED NOT NULL, > src_bytes BIGINT UNSIGNED NOT NULL, > dst_bytes BIGINT UNSIGNED NOT NULL, > PRIMARY KEY (sid,xid), > INDEX begin (start_time), > INDEX end (end_time), > INDEX server (src_ip), > INDEX client (dst_ip), > INDEX sport (src_port), > INDEX cport (dst_port)); > > > Incidentally i also seem to have caught a typo error in the line > -e \"LOAD DATA LOCAL INFILE '$PS_OUTFILE'.tmp INTO ... > is '$PS_OUTFILE'.tmp intended? > > > > still grappling with tcl, > - -jf > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > > iD8DBQE+U9w9THq81lr912QRAu9UAJ9SUjgJ5OfDoDoHFcbT4I+RpCC1UgCfXdVn > 5to6o83OqyI+rj1MOLMK5o8= > =C0Ws > -----END PGP SIGNATURE----- > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. > The most comprehensive and flexible code editor you can use. > Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. > www.slickedit.com/sourceforge > _______________________________________________ > Sguil-devel mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-devel ----- End forwarded message ----- |