following issue : trying to use sqlite filter #209 #215
Comments
|
With a list so small this sounds like an overkill job for a DB when it can be done much faster from memory. |
|
we are attempting to use an SQLite filter to capture incoming IP addresses in the index and then add a name to each IP address from the database. the DB needs to be updated frequently if new name for the ips. do we need to use the same method as we try here with ports? |
|
@Alisher-Nabiev this sounds like a different topic. If the protocol matching works and this is a second chapter please open a dedicated issue to avoid confusion. Perhaps you should simply use reverse DNS for this task. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I'm trying to use sqlite to add the service name according to the Destination port.
the problem is that it looks like the system takes the port number from the first packet and don't update it.
in this example from the log, even though ports are changing all the time the port remains 443
pastash config:
sqlite {
db => '/home/******/userdata_qa.db'
query => 'SELECT service_name from port_list WHERE port_number=(?) limit 1;'
source_field => 'l4_dst_port'
target_field => 'service'
}
sqlite config
sqlite> PRAGMA table_info(port_list);
0|id|INTEGER|0||1
1|port_number|long|0||0
2|service|TEXT|1||0
sqlite> SELECT * from port_list;
1|80|http
2|53|dns
3|123|ntp
4|80|http
5|443|https
6|1194|ovpn
7|8883|mqtt
The text was updated successfully, but these errors were encountered: