[Snort-users] mysql to pcap?

Jason security at ...5028...
Tue Sep 2 10:28:59 EDT 2008



Dirk Geschke wrote:
> Hi Tim,
> 
>> I'm viewing snort events through a third-party tool that is fetching
>> the data from the mysql database snort is logging to.  I want to be
>> able to select a particular event in the third-party tool and view it
>> in wireshark, so that I can subject the payload to wireshark's
>> protocol parsers.
> 
> [...]
> 
>> But someone must have done this already.  Right?  :)
> 
> you can not do this with the standard database scheme, there are
> some parameters, especially the headers, missing.

What is missing? You should be able to take the binary data and wrap a
pcap header on it and all should be well.

Details please.

> 
> I extended the database scheme to allow the storage of the missing
> parts so that you can rebuild the pcap file. All this is part of
> FLoP, maybe you should take a look at it:
> 
>    http://www.geschke-online.de/FLoP/
> 
> Best regards
> 
> Dirk




More information about the Snort-users mailing list