[Snort-users] AIM decoding

Erek Adams erek at ...950...
Wed Sep 17 07:24:14 EDT 2003


On Wed, 17 Sep 2003, JJ wrote:

> I was actually hoping someone had code that would pull the send/receive
> message alerts out of a MySQL database and print out the decoded chat
> session.  More specifically, I was hoping for perl.
>
> At any rate, I will probably code something up that will pull the chat
> sessions, by date and IP, out of the MySQL server for use in waste,
> fraud and abuse (WFA) cases.
>
> If anyone knows something that does this, please let me know.

Snort's the wrong tool for that.

When it logs something to the DB, the only thing (in the default rules)
that gets logged is one packet.  Not enough for a conversation, just the
start of one or some 'random point' in the converstation.

You might do better to log all outgoing traffic on port 5190 to disk and
replay it into Snort and some sort of script to dump it into a DB.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list