[Snort-devel] Rebuild a complete packet from SQL
elof at ...969...
Wed Jun 18 11:49:06 EDT 2003
Before I start digging in the SQL-code I thought I'd ask you guys if what
I'm about to do is even possible.
1 Snort have logged an alert for a DNS-response packet (UDP/53)
2 With ACID I can see the decoded IP and UDP headers and a hexdump of the
This payload don't give me much information since it's just a raw dump.
This is what I'd like to do:
On the ACID-page with the hexdump of the packet I'll add a button that:
* rebuild the packet (from the SQL-database) and put it in a tcpdump-file
* pass the file (containing only a single packet) to ethereal
* ethereal prints a dump of the decoded packet
* I display the output in the web-browser
Now I see a decoded DNS-response instead of the raw hexdump. I can see the
question, the answer, the transaction-ID, etc.
Is this possible? I mean, are ALL the parts of the packet logged to
the SQL database so I can rebuild the packet?
(I'm not interested in logging to a binary file. I need to know if the
above is possible)
More information about the Snort-devel