[Rtir] Ip address lookup
Gorazd Bozic
gorazd.bozic at arnes.si
Tue Nov 11 02:29:55 EST 2003
Greg Kuhnert wrote:
> RTIR does a great job in handling incidents for static IP allocations,
> but what about dynamically address allocation.
>
> Imagine a new table that RTIR could query, that had stored it it IP
> address, start, stop, owner .... (created from a radius server, or
> whatever)
You could make a custom script that would do that, I guess. Your suggestion:
> Better still, if RTIR is able to parse an IP address, why not a time
> reference? The ability to search this data would be invaluable.
>
> Then: Some additional logic when a new ticket is created
>
> For each IP address in the incident report
> For each time reference in the incident report
> Scan the dynamic table
> if a match is found
> Add a new entry to result set
will cause some problems. Imagine you receive a scan report with 300
lines. That's 301 IP addresses (1 source and 300 destinations) and 300
timestamps, all together 301*300 combinations. Now if one single query
takes *only* 1 second (probably much more if you have a large
database/log of dynamic allocations). This amounts to 90,300 seconds,
which is more than one day (86,400 sec) for processing...
The script could be improved so that it would only take the nearest
timestamp and have a table of address space which you own and is part of
your dynamic allocation pool so it would ignore all other IPs.
Regards,
Gorazd
--
Gorazd Bozic <gorazd.bozic at arnes.si>
ARNES SI-CERT, Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 88 22, fax: +386 1 479 88 99
More information about the Rtir
mailing list