Hey guys, I have two data sources which aren't sending out IP Addresses the "conventional way" one of them is the Checkpoint.
The checkpoint sends out an address such as "177958687". The ESM is able to convert this into a regular ipv4 address, I am wondering what is the original format CheckPoint is sending this information in? I'd like to take an address like this and be able to convert it outside the ESM for that I need to know what format is it sending in.
The second data source is Netscaler, the netscaler is sending me an IP address in Hexadecimal. Is the ESM able to convert Hexa to a regular IP address? If I put a hexa in an IP Address field would it know how to convert it as such?
Solved! Go to Solution.
IPv4 addresses can be expressed as an (un)signed 32 bit integer.
IP addresses are stored as integers in the database rather than strings because of size efficiency. The C reference for these functions can be found here;
https://www.freebsd.org/cgi/man.cgi?query=inet_aton
inet_aton = address to number
inet_ntoa = number to address
Similarly, 32-bit integers can be represented as 8 hexadecimal characters. (0xFFFFFFFF -> 255.255.255.255)
IPv4 addresses can be expressed as an (un)signed 32 bit integer.
IP addresses are stored as integers in the database rather than strings because of size efficiency. The C reference for these functions can be found here;
https://www.freebsd.org/cgi/man.cgi?query=inet_aton
inet_aton = address to number
inet_ntoa = number to address
Similarly, 32-bit integers can be represented as 8 hexadecimal characters. (0xFFFFFFFF -> 255.255.255.255)
Is there any built in method of converting Hexadecimal to IP address? Or must I convert it outside the ESM system and then import it back int?
@brenta
Good question, I'm not sure if the parsers have specific functions to do these conversions. I'd assume you can just map them to a IP address field (after they have been parsed) and the SIEM should just take care of it.
I took a look at the built in NetScaler parsers, and I do not see anything special done to capture and map the data. If you have a sample log entry, I might be able to give a more definite answer.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA