Manualsbrain.com
  1. Handbücher
  2. Marken
  3. Cisco
  4. Cisco Firepower Management Center 4000
  5. Entwickleranleitung

Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

Download
Seite von 180
 
2-14
FireSIGHT System Database Access Guide
 
Chapter 2      Setting Up Database Access 
  Querying the Database
IPv6 Addresses
The Cisco database stores IPv6 addresses in binary format. For results in hex notation, use the 
HEX()
 
function. To query the database on a specific IPv6 address, use the 
UNHEX()
 function.
For example, the following statement queries the 
connection_log 
table, which contains information on 
monitored sessions, constraining the query by a specific IPv6 address:
SELECT HEX(initiator_ip), HEX(responder_ip), packets_sent, bytes_sent
FROM connection_log
WHERE initiator_ip = UNHEX('20010db8000000000000000000004321');
IPv4 Addresses
The Cisco database stores IPv4 addresses in binary format within the same fields as IPv6 addresses. As 
with IPv6 addresses, use the 
HEX()
 function for hex notation. The database follows the RFC by filling in 
bits 80-95 with 1s, which yields an invalid IPv6 address. For example, the IPv4 address 10.5.15.1 would 
be stored as 
00000000000000000000FFFF0A050F01
.
MAC Addresses
The Cisco database stores MAC addresses in binary format. For results in hex notation, use the 
HEX()
 
function.
For example. the following statement queries the 
rna_host_mac_map
 table, which contains information 
on hosts with MAC addresses that are not identified with an IP address, limiting the query to the first 
five hosts:
SELECT HEX(host_id), HEX(mac_address)
FROM rna_host_mac_map
LIMIT 5;
Packet Data
The Cisco database stores packet data for intrusion events in binary format. For results in hex notation, 
use the 
HEX()
 function.
For example. the following statement queries the 
intrusion_event_packet
 table to obtain packet data 
for a particular event:
SELECT HEX(packet_data)
FROM intrusion_event_packet
WHERE event_id = 1234;
UNIX Timestamps
The Cisco database stores most timestamps as UNIX timestamps, which represent the number of seconds 
elapsed since 00:00:00 January 1st, 1970 (UTC). For results in your local time, use the 
FROM_UNIXTIME()
 
function.
For example, the following statement queries the 
audit_log
 table, which keeps a record of all user 
actions on the web interface of an appliance, and returns up to 25 results:
SELECT FROM_UNIXTIME(action_time_sec), user, message 
FROM audit_log