[Snort-users] logging question

James Hoagland hoagland at ...47...
Tue May 29 14:55:54 EDT 2001


At 12:23 PM -0400 5/25/01, Anthony Buser wrote:
>Unfortunately so far as I know SnortSnarf cannot handle the tcpdump

This is true, but something you should be able to do is to run snort 
with "-r" to read that tcpdump data and to output it in (for example) 
full alert format, which SnortSnarf can read.

>data.  Which is one reason why I recently switched to Acid
>(http://www.cert.org/kb/acid/) and used the database logging with snort.
>So I added a line to my snort.conf like:
>
>output database: log, mysql, user=xxx password=xxx dbname=snort
>host=localhost sensor_name=netmon encoding=hex
>
>The encoding=hex at the end puts the tcpdump into the database in hex
>format which acid automatically turn it into human readable format and
>show on the acid webpage when you drill down into the details.  You can
>also tell the database plugin to automatically convert to plain text by
>putting encoding=ascii.  That way you could develop your own tools to
>view it if you don't want to use acid... or I guess maybe modify
>snortsnarf to show it.

Being able to get input from a database is one of the motivators 
behind the modularization of SnortSnarf.  Now someone just needs to 
write the input module. (Silicon Defense has no plans at this point 
to do this ourselves.)  If someone wants to work on this, I think a 
number of people would be rather appreciative.

Kind regards,

   Jim

-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|




More information about the Snort-users mailing list