[Snort-users] Extracting Snort alerts from DB

Peter Bates peter.bates at ...15381...
Tue Dec 18 06:01:25 EST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

Not strictly a Snort problem but I've
been posting to snort-users since 2000 so hopefully 
someone might take pity on me.

Running multiple instances of Snort, so the easiest output
is to a DB (MySQL in this case) via Barnyard2 - and using the
standard Snort DB schema.

In the past I'd log to pcap files and look through those, but
only having the database, what I'd like to do is a SELECT for
all events which match a particular SID - or possibly a source IP.

In that SELECT I'd also like the packet contents - which I can try
and decode.

Obviously I can look in BASE (or similar) but it's not the quickest 
interface for looking at the packet contents of 1000+ alerts.

Has anyone with vastly superior SQL-fu done anything similar?

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJQ0E0FAAoJELhVoVpEMS6ROiUIAIfIXXWE+gMaZRi2aB+l6ZCI
ahxltTxuTmPpEIxpHcdEkMiHGnTM5ffhRGrNBFkWdtVOZH6Dh9trostn+5I/Xsas
Vrlv6dRGL2tx/uQWtHvE1NKnUK0naPaKIB9hP4dLMT/ptaugc6KIdKeP9gwUvttM
D55IXZiPzFo+0KAQ+ahxi50HVP64kxiLQWtoD8uJFPn0kFoSqNiWvg4RFXY5H0ZX
ouXjuYCRm+FYv9tMJt/Ff3sHT5q2O0+UfG5Z7y1XceFHWWFwZJe5I8WHf4TFepbk
MwO/GwbUMr5h88WTk36a0bL/xlyl2DvoEzCXwereRVppZ2uLtliUfwdOPfZ+LdU=
=J6Ps
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list