Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
2-14
FireSIGHT System Database Access Guide
Chapter 2 Setting Up Database Access
Querying the Database
IPv6 Addresses
The Cisco database stores IPv6 addresses in binary format. For results in hex notation, use the
HEX()
function. To query the database on a specific IPv6 address, use the
UNHEX()
function.
For example, the following statement queries the
connection_log
table, which contains information on
monitored sessions, constraining the query by a specific IPv6 address:
SELECT HEX(initiator_ip), HEX(responder_ip), packets_sent, bytes_sent
FROM connection_log
WHERE initiator_ip = UNHEX('20010db8000000000000000000004321');
IPv4 Addresses
The Cisco database stores IPv4 addresses in binary format within the same fields as IPv6 addresses. As
with IPv6 addresses, use the
with IPv6 addresses, use the
HEX()
function for hex notation. The database follows the RFC by filling in
bits 80-95 with 1s, which yields an invalid IPv6 address. For example, the IPv4 address 10.5.15.1 would
be stored as
be stored as
00000000000000000000FFFF0A050F01
.
MAC Addresses
The Cisco database stores MAC addresses in binary format. For results in hex notation, use the
HEX()
function.
For example. the following statement queries the
rna_host_mac_map
table, which contains information
on hosts with MAC addresses that are not identified with an IP address, limiting the query to the first
five hosts:
five hosts:
SELECT HEX(host_id), HEX(mac_address)
FROM rna_host_mac_map
LIMIT 5;
Packet Data
The Cisco database stores packet data for intrusion events in binary format. For results in hex notation,
use the
use the
HEX()
function.
For example. the following statement queries the
intrusion_event_packet
table to obtain packet data
for a particular event:
SELECT HEX(packet_data)
FROM intrusion_event_packet
WHERE event_id = 1234;
UNIX Timestamps
The Cisco database stores most timestamps as UNIX timestamps, which represent the number of seconds
elapsed since 00:00:00 January 1st, 1970 (UTC). For results in your local time, use the
elapsed since 00:00:00 January 1st, 1970 (UTC). For results in your local time, use the
FROM_UNIXTIME()
function.
For example, the following statement queries the
audit_log
table, which keeps a record of all user
actions on the web interface of an appliance, and returns up to 25 results:
SELECT FROM_UNIXTIME(action_time_sec), user, message
FROM audit_log