[Snort-devel] Rebuild a complete packet from SQL

Martin Olsson elof at ...969...
Wed Jun 18 11:49:06 EDT 2003

Before I start digging in the SQL-code I thought I'd ask you guys if what
I'm about to do is even possible.

1 Snort have logged an alert for a DNS-response packet (UDP/53)
2 With ACID I can see the decoded IP and UDP headers and a hexdump of the
  packet payload

This payload don't give me much information since it's just a raw dump.

This is what I'd like to do:

On the ACID-page with the hexdump of the packet I'll add a button that:
* rebuild the packet (from the SQL-database) and put it in a tcpdump-file
* pass the file (containing only a single packet) to ethereal
* ethereal prints a dump of the decoded packet
* I display the output in the web-browser

Now I see a decoded DNS-response instead of the raw hexdump. I can see the
question, the answer, the transaction-ID, etc.

Is this possible? I mean, are ALL the parts of the packet logged to
the SQL database so I can rebuild the packet?

(I'm not interested in logging to a binary file. I need to know if the
above is possible)


More information about the Snort-devel mailing list