[Snort-users] mysql to pcap?

David J. Bianco david at ...13799...
Sat Aug 30 23:26:05 EDT 2008


This might be a more complicated solution than you're looking for,
but check out Sguil (www.sguil.net).  It captures PCAP in addition to
snort alerts (and network session logs as well), so when you're
examining an event, you can easily reference the PCAP data for the
entire network session, not just the single packet which caused the
alert.  If you're ready to start looking at PCAP, you might as well
go whole hog with it.

	David


Tim Maletic wrote:
> I'm viewing snort events through a third-party tool that is fetching
> the data from the mysql database snort is logging to.  I want to be
> able to select a particular event in the third-party tool and view it
> in wireshark, so that I can subject the payload to wireshark's
> protocol parsers.
> 




More information about the Snort-users mailing list