[Snort-users] Extracting Snort alerts from DB

salawank tdr.local at ...11827...
Tue Dec 18 06:43:26 EST 2012


Hi,

maybe this could be the start?

mysql> select * from event order by sid desc limit 10;




On Tue, Dec 18, 2012 at 7:01 PM, Peter Bates <peter.bates at ...15381...> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> Not strictly a Snort problem but I've
> been posting to snort-users since 2000 so hopefully
> someone might take pity on me.
>
> Running multiple instances of Snort, so the easiest output
> is to a DB (MySQL in this case) via Barnyard2 - and using the
> standard Snort DB schema.
>
> In the past I'd log to pcap files and look through those, but
> only having the database, what I'd like to do is a SELECT for
> all events which match a particular SID - or possibly a source IP.
>
> In that SELECT I'd also like the packet contents - which I can try
> and decode.
>
> Obviously I can look in BASE (or similar) but it's not the quickest
> interface for looking at the packet contents of 1000+ alerts.
>
> Has anyone with vastly superior SQL-fu done anything similar?
>
> - --
> Peter Bates
> Senior Information Security Officer   Phone: +44(0)2076792049
> Information Services Division         Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJQ0E0FAAoJELhVoVpEMS6ROiUIAIfIXXWE+gMaZRi2aB+l6ZCI
> ahxltTxuTmPpEIxpHcdEkMiHGnTM5ffhRGrNBFkWdtVOZH6Dh9trostn+5I/Xsas
> Vrlv6dRGL2tx/uQWtHvE1NKnUK0naPaKIB9hP4dLMT/ptaugc6KIdKeP9gwUvttM
> D55IXZiPzFo+0KAQ+ahxi50HVP64kxiLQWtoD8uJFPn0kFoSqNiWvg4RFXY5H0ZX
> ouXjuYCRm+FYv9tMJt/Ff3sHT5q2O0+UfG5Z7y1XceFHWWFwZJe5I8WHf4TFepbk
> MwO/GwbUMr5h88WTk36a0bL/xlyl2DvoEzCXwereRVppZ2uLtliUfwdOPfZ+LdU=
> =J6Ps
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121218/c33f18f8/attachment.html>


More information about the Snort-users mailing list