[Snort-users] mysql to pcap?

Tim Maletic tmaletic at ...11827...
Fri Aug 29 12:42:05 EDT 2008


I'm viewing snort events through a third-party tool that is fetching
the data from the mysql database snort is logging to.  I want to be
able to select a particular event in the third-party tool and view it
in wireshark, so that I can subject the payload to wireshark's
protocol parsers.

Oh, and I want to do it right there, bam!, with one click.  I don't
want to go trolling through some unified log file on some remote snort
sensor trying to find my packet.

Well, all the data I need to hand to text2pcap and wireshark is in
mysql.  Seems like I could just write up a script that, given a cid,
fetches the hex-encoded payload, formats the payload as needed by
text2pcap, fetches the header data to also hand to text2pcap to
populate the dummy header parameters that it supports, and throw the
result at wireshark.

But someone must have done this already.  Right?  :)
-tm




More information about the Snort-users mailing list