Re: [Sguil-devel] RcvSsnFile () behaviour
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-devel] RcvSsnFile () behaviour
|
From: Bamm V. <ba...@sa...> - 2003-02-19 20:37:05
|
----- Forwarded message from Bamm Visscher <ba...@sa...> -----
Date: Wed, 19 Feb 2003 14:19:10 -0600
From: Bamm Visscher <ba...@sa...>
To: Jeffrey Lim <jef...@se...>
Subject: Re: [Sguil-devel] RcvSsnFile () behaviour
Reply-To: ba...@sa...
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <200...@se...>; from jef...@se... on Thu, Feb 20, 2003 at 03:34:21AM +0800
I really need to start adding comments to my code now that (other) people are actually looking at it ;)
The idea here was to take the stats that stream4 produces and load them into the database along with a unique ID (xid) and Sensor ID (sid). Stream4 (snort) can provide the xid (we use time in milliseconds) but it has no idea what the sid is. I thought about providing the sid as an argument to stream4, but the sid is generated _after_ BY is ran for the first time on a specific sensor, thus we could run into problems as new sensors are added. Since sguild loads the session data, and has access to the DB I went with the idea to prepend the sensor id to session data prior to sguild loading it into the DB. Having sguild write to a file first, then create another (tmp) file, probably isn't the most efficient way to accomplish my goal, but I have a habit of doing things the way I know it will work first and then making the process more efficient second. I expect these functions will change some in the future.
Here is the bit of code you wanted clarified. I added the comments to the original code too.:
set inFileID [open $DB_OUTFILE r]
set outFileID [open $DB_OUTFILE.tmp w]
# Use i to keep track of how many lines we are loading into the database for DEBUG.
set i 0
# Load the entire file into memory (read $inFileID), then create a list
# delimited by \n. Finally loop through each 'line', prepend the sensorID (sid)
# to it, and append the new line to the tmp file.
foreach line [split [read $inFileID] \n] {
if {$line != ""} {puts $outFileID "$sensorID|$line"; incr i}
}
close $inFileID
close $outFileID
Bammkkkk
On Thu, Feb 20, 2003 at 03:34:21AM +0800, Jeffrey Lim wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've been looking at this function, and it beats me why it does what it does,
> and was hoping somebody could clarify this:
>
> basically, the input session file is read, and then lines are written to a
> tempfile, consisting of lines "$sensorID|i", with 'i' incrementing. Finally,
> this temp file is then loaded to the database.
>
> Given this file format, and the database schema, it would appear that things
> do not fit. Have a look at the sessions (the table to which the tempfile is
> loaded to) schema (from scripts/create_sguildb.sql)
>
> CREATE TABLE sessions (
> sid INT UNSIGNED NOT NULL,
> xid BIGINT UNSIGNED NOT NULL,
> start_time datetime NOT NULL,
> end_time datetime NOT NULL,
> src_ip INT UNSIGNED NOT NULL,
> dst_ip INT UNSIGNED NOT NULL,
> src_port INT UNSIGNED NOT NULL,
> dst_port INT UNSIGNED NOT NULL,
> src_pckts BIGINT UNSIGNED NOT NULL,
> dst_pckts BIGINT UNSIGNED NOT NULL,
> src_bytes BIGINT UNSIGNED NOT NULL,
> dst_bytes BIGINT UNSIGNED NOT NULL,
> PRIMARY KEY (sid,xid),
> INDEX begin (start_time),
> INDEX end (end_time),
> INDEX server (src_ip),
> INDEX client (dst_ip),
> INDEX sport (src_port),
> INDEX cport (dst_port));
>
>
> Incidentally i also seem to have caught a typo error in the line
> -e \"LOAD DATA LOCAL INFILE '$PS_OUTFILE'.tmp INTO ...
> is '$PS_OUTFILE'.tmp intended?
>
>
>
> still grappling with tcl,
> - -jf
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE+U9w9THq81lr912QRAu9UAJ9SUjgJ5OfDoDoHFcbT4I+RpCC1UgCfXdVn
> 5to6o83OqyI+rj1MOLMK5o8=
> =C0Ws
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
> The most comprehensive and flexible code editor you can use.
> Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
> www.slickedit.com/sourceforge
> _______________________________________________
> Sguil-devel mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-devel
----- End forwarded message -----
|