I'm trying to use PRADS as a replacment for sancp in my Security Onion distro. I'm using 0.3.1-rc1 from github and am running as follows:

prads -i eth0 -c $conf -u sguil -g sguil -L
/nsm/sensor_data/$SENSOR/sancp/ -f /nsm/sensor_data/$SENSOR/pads.fifo
-b 'ip or (vlan and ip)'

The -L option is supposed to create output that is compatible with Sguil's sancp_agent, but it
looks like PRADS isn't outputting the correct format that sancp_agent
is expecting.

For example, here's output from SANCP that gets
processed correctly by sancp_agent:
5791721969401954318|2012-09-24 12:39:14|2012-09-24
12:41:18|124|6|3232292534|54422|3088986000|80|26|10416|19|2835|27|27

Looking at PRADS output, it appears to be giving the human-readable IP
address instead of the int version as shown above that sancp_agent is
expecting.

Any help would be appreciated!

Thanks,
Doug

This patch I think should do the trick - can you verify ?

diff --git a/src/output-plugins/log_dispatch.c b/src/output-plugins/log_dispatch.c
index 760d078..333a904 100644
--- a/src/output-plugins/log_dispatch.c
+++ b/src/output-plugins/log_dispatch.c
@@ -138,7 +138,7 @@ void log_connection(connection cxt, FILE fd, int outputmode)
fprintf(fd, "%ld%09ju|%s|%s|%ld|%u|",
cxt->start_time, cxt->cxid, stime, ltime, tot_time,
cxt->proto);

• if(outputmode == CX_NONE || outputmode || cxt->af == AF_INET6) {
• if(outputmode != CX_NONE || outputmode || cxt->af == AF_INET6) {
  if(!inet_ntop(cxt->af, (cxt->af == AF_INET6? (void_) &cxt->s_ip : (void_) cxt->s_ip.s6_addr32), src_s, INET6_ADDRSTRLEN))
  perror("inet_ntop");
  if(!inet_ntop(cxt->af, (cxt->af == AF_INET6? (void_) &cxt->d_ip : (void_) cxt->d_ip.s6_addr32), dst_s, INET6_ADDRSTRLEN))

Looks good so far! Thanks!