[Snort-users] Extracting Snort alerts from DB
peter.bates at ...15381...
Tue Dec 18 06:01:25 EST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Not strictly a Snort problem but I've
been posting to snort-users since 2000 so hopefully
someone might take pity on me.
Running multiple instances of Snort, so the easiest output
is to a DB (MySQL in this case) via Barnyard2 - and using the
standard Snort DB schema.
In the past I'd log to pcap files and look through those, but
only having the database, what I'd like to do is a SELECT for
all events which match a particular SID - or possibly a source IP.
In that SELECT I'd also like the packet contents - which I can try
Obviously I can look in BASE (or similar) but it's not the quickest
interface for looking at the packet contents of 1000+ alerts.
Has anyone with vastly superior SQL-fu done anything similar?
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Snort-users