[Snort-users] mysql to pcap?

Ryan Jordan jjordan at ...1935...
Fri Aug 29 14:12:42 EDT 2008


I'm not sure what third-party tool you're using or what's stored in your
database, but there's a little tool bundled with the SnortSP beta that
converts unified2 files directly into pcaps. It's in the src/tools/u2boat
directory. If you're logging in Unified2, it'll save you the trouble of
trying to convert that to text suitable for text2pcap. Can't help you with
the scripting magic, though. :)

You can download SnortSP here: http://www.snort.org/dl/snortsp/

On Fri, Aug 29, 2008 at 12:42 PM, Tim Maletic <tmaletic at ...11827...> wrote:

> I'm viewing snort events through a third-party tool that is fetching
> the data from the mysql database snort is logging to.  I want to be
> able to select a particular event in the third-party tool and view it
> in wireshark, so that I can subject the payload to wireshark's
> protocol parsers.
>
> Oh, and I want to do it right there, bam!, with one click.  I don't
> want to go trolling through some unified log file on some remote snort
> sensor trying to find my packet.
>
> Well, all the data I need to hand to text2pcap and wireshark is in
> mysql.  Seems like I could just write up a script that, given a cid,
> fetches the hex-encoded payload, formats the payload as needed by
> text2pcap, fetches the header data to also hand to text2pcap to
> populate the dummy header parameters that it supports, and throw the
> result at wireshark.
>
> But someone must have done this already.  Right?  :)
> -tm
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080829/6ed4558a/attachment.html>


More information about the Snort-users mailing list