[Snort-users] mysql to pcap?

Jack Pepper pepperjack at ...14319...
Fri Aug 29 12:52:41 EDT 2008


I changed the post processor so what gets written to the DB is a  
base64 encoded hash of the raw pcap data.  for exactly this reason.

jp

Quoting Tim Maletic <tmaletic at ...11827...>:

> I'm viewing snort events through a third-party tool that is fetching
> the data from the mysql database snort is logging to.  I want to be
> able to select a particular event in the third-party tool and view it
> in wireshark, so that I can subject the payload to wireshark's
> protocol parsers.
>
> Oh, and I want to do it right there, bam!, with one click.  I don't
> want to go trolling through some unified log file on some remote snort
> sensor trying to find my packet.
>
> Well, all the data I need to hand to text2pcap and wireshark is in
> mysql.  Seems like I could just write up a script that, given a cid,
> fetches the hex-encoded payload, formats the payload as needed by
> text2pcap, fetches the header data to also hand to text2pcap to
> populate the dummy header parameters that it supports, and throw the
> result at wireshark.
>
> But someone must have done this already.  Right?  :)
> -tm
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list