[Snort-users] Weird question

Erek Adams erek at ...950...
Tue Aug 5 07:37:04 EDT 2003


On Mon, 4 Aug 2003, Paul Schmehl wrote:

> Now promise you won't laugh......is there a way to reassemble packets that
> have been fed from snort to mysql?  Believe or not, the networking guys
> want something they can look at in tcpdump or ethereal.  (Yes, I know how
> to enable that.  I want to look at stuff that's already in the database.)

Not that wierd of a question.  :)

Short answer:  No.

Long answer:  The entire stream isn't saved to the DB.  Only the packet
that caused the alert.  This is where saving the alerting packets to
binary (pcap) form is handy.  I'd suggest begging, borrowing, or stealing
more disk space and running double logging.  One to DB, one to pcap.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list