[Snort-users] mysql to pcap?

Dirk Geschke dirk at ...10648...
Sat Aug 30 15:44:33 EDT 2008


Hi Tim,

> I'm viewing snort events through a third-party tool that is fetching
> the data from the mysql database snort is logging to.  I want to be
> able to select a particular event in the third-party tool and view it
> in wireshark, so that I can subject the payload to wireshark's
> protocol parsers.

[...]

> But someone must have done this already.  Right?  :)

you can not do this with the standard database scheme, there are
some parameters, especially the headers, missing.

I extended the database scheme to allow the storage of the missing
parts so that you can rebuild the pcap file. All this is part of
FLoP, maybe you should take a look at it:

   http://www.geschke-online.de/FLoP/

Best regards

Dirk
-- 
+----------------------------------------------------------------------+
| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk at ...10648... / dirk at ...13691...  / kontakt at ...13691... | 
+----------------------------------------------------------------------+




More information about the Snort-users mailing list