following issue : trying to use sqlite filter #209

[yaniv999]

Hello,

I'm trying to use sqlite to add the service name according to the Destination port. the problem is that it looks like the system takes the port number from the first packet and don't update it.

in this example from the log, even though ports are changing all the time the port remains 443

pastash config:

sqlite { db => '/home/**/userdata_qa.db' query => 'SELECT service_name from port_list WHERE port_number=(?) limit 1;' source_field => 'l4_dst_port' target_field => 'service' }

sqlite config

sqlite> PRAGMA table_info(port_list); 0|id|INTEGER|0||1 1|port_number|long|0||0 2|service|TEXT|1||0

sqlite> SELECT * from port_list; 1|80|http 2|53|dns 3|123|ntp 4|80|http 5|443|https 6|1194|ovpn 7|8883|mqtt

[lmangani]

With a list so small this sounds like an overkill job for a DB when it can be done much faster from memory. Try this plugin out: https://github.com/sipcapture/paStash/tree/next/plugins/filters/ip_proto

[Alisher-Nabiev]

we are attempting to use an SQLite filter to capture incoming IP addresses in the index and then add a name to each IP address from the database.

the DB needs to be updated frequently if new name for the ips.

do we need to use the same method as we try here with ports?

@yaniv999

[lmangani]

@Alisher-Nabiev this sounds like a different topic. If the protocol matching works and this is a second chapter please open a dedicated issue to avoid confusion. Perhaps you should simply use reverse DNS for this task.