[Snort-users] Database plugin question

Radu Brumariu brumariur at ...908...
Wed Aug 14 15:35:02 EDT 2002


Yes, this is very close to what i thought. 
Acctually I have some trace files, that I want to filter through snort,
but i need the database populated with all the packets found in the
trace. that's because I want to initially remove some rules and then try
to produce them , using some algorithm. I just need to run the algorithm
on the whole database, ip or not ip, just everything that the nic will
see.
I am also considering modifying tcpdump so it will log to a database
rather than flat file.

Let me know what you think.

Thanks,
Radu



On Wed, 2002-08-14 at 16:31, Phil Wood wrote:
> On Wed, Aug 14, 2002 at 10:13:47AM -0500, Radu Brumariu wrote:
> > 
> > Thanks, Jeffrey for the input. 
> > However, I would like snort to log _all_ the packets that it sees,
> > including arp,igrp,gre, etc.
> 
> I would use tcpdump for that:
> 
>   tcpdump -i eth0 -w pcapfile -s 1514
> 
> You can even feed that file into snort for analysis.  Instead of -i, use
> 
>   -r pcapfile
> 
> snort does not handle non ip packets.  You could use snort to grab the
> ip packets with the rule supplied by Jeffrey, and you could use tcpdump at
> the same time to get all the non-ip packets with the following:
> 
>   tcpdump -i eth0 -w pcapfile -s 1514 not ip
> 
> > 
> > Radu
> > 
> > 
> > On Wed, 2002-08-14 at 14:42, Dell, Jeffrey wrote:
> > > Use the rule:
> > > 
> > > log ip any any <> any any 
> > > 
> > > This will log all ip packets.
> > > 
> > > -----Original Message-----
> > > From: Radu Brumariu [mailto:brumariur at ...908...] 
> > > Sent: Wednesday, August 14, 2002 10:27 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] Database plugin question
> > > 
> > > 
> > > 
> > > Hi all,
> > > I would like to know if it is possible to trick snort into logging every
> > > packet that it sees to the database rather then log|alert?
> > > 
> > > thanks,
> > > Radu
> > > 
> > > 
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: Dice - The leading online job board for
> > > high-tech professionals. Search and apply for tech jobs today!
> > > http://seeker.dice.com/seeker.epl?rel_code=31
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Dice - The leading online job board
> > for high-tech professionals. Search and apply for tech jobs today!
> > http://seeker.dice.com/seeker.epl?rel_code=31
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -- 
> Phil Wood, cpw at ...440...
> 






More information about the Snort-users mailing list