參數說明

參數	說明
$dst_IP	被攻擊的IP
$src_IP	攻擊來源IP
$alert_name	警訊名稱
$sid	snort警訊編號
$priority	攻擊等級: 1~3 (強~弱)
$class	攻擊分類名稱
$src_port	來源port
$dst_port	被攻擊的port
$type	封包型態

實驗一

• detail

• select * from flex

98 row(s) in set. (0.30 sec)

• 格式：

$dst_IP

Column Family : Column Qulify	cell value
direction:dstport	$dst_port
direction:soure	$src_IP
direction:srcport	$src_port
id:gid	$generation_id
id:priority	$priority
id:sid	$sid
id:version	$version
name:class	$class
name:name	$alert_name
payload:type	$type

• 範例：

  Row	Column	Cell
  105.175.203.246	direction:dstport	0
  105.175.203.246	direction:soure	168.150.177.165
  105.175.203.246	direction:srcport	0
  105.175.203.246	id:gid	1
  105.175.203.246	id:priority	3
  105.175.203.246	id:sid	402
  105.175.203.246	id:version	7
  105.175.203.246	name:class	Misc activity
  105.175.203.246	name:name	ICMP Destination Unreachable Port Unreachable
  105.175.203.246	payload:type	ICMP

實驗二

• detail

• 目的：

矯正不同攻擊在同一個目標ip只能紀錄最後一筆的問題

• select * from NewSnort

128 row(s) in set. (0.29 sec)

• 格式：

$dst_IP : $sid

Column Family : Column Qulify	cell value
name:$alert_name	priority= $priority ; class= $class
from:$source	$src_IP : $src_port => $dst_IP : $dst_port
payload:$type	$type

• 範例：

  Row	Column	Cell
  105.175.203.246<=402	from:168.150.177.165	168.150.177.165:0 => 105.175.203.246:0
  105.175.203.246<=402	name:ICMP Destination Unreachable Port Unreachable	priority=3class=Misc activity
  105.175.203.246<=402	payload:ICMP	ICMP

實驗三

• detail

select * from !NewTable1;

98 row(s) in set. (0.46 sec)

• 目的：

解決實驗二之 多個來源用不同攻擊方法攻同一目標ip 卻無（source v.s. attack）對應問題

• 格式：

$dst_IP

Column Family : Column Qulify	cell value
SourceSid:$source ( $sid )	name = $alert_name; priority= $priority ; class= $class ;port= $dst_port ;type= $type

• 範例：

Row	Column	Cell
105.175.203.246	SourceSID:168.150.177.165(402)	name=ICMP Destination Unreachable Port Unreachable ;priority=3;class=Misc activity;dst_port=0;type=ICMP