Snort mailing list archives
Re: Database plugin question
From: Radu Brumariu <brumariur () missouri edu>
Date: 14 Aug 2002 12:33:24 -0500
Yes, this is very close to what i thought. Acctually I have some trace files, that I want to filter through snort, but i need the database populated with all the packets found in the trace. that's because I want to initially remove some rules and then try to produce them , using some algorithm. I just need to run the algorithm on the whole database, ip or not ip, just everything that the nic will see. I am also considering modifying tcpdump so it will log to a database rather than flat file. Let me know what you think. Thanks, Radu On Wed, 2002-08-14 at 16:31, Phil Wood wrote:
On Wed, Aug 14, 2002 at 10:13:47AM -0500, Radu Brumariu wrote:Thanks, Jeffrey for the input. However, I would like snort to log _all_ the packets that it sees, including arp,igrp,gre, etc.I would use tcpdump for that: tcpdump -i eth0 -w pcapfile -s 1514 You can even feed that file into snort for analysis. Instead of -i, use -r pcapfile snort does not handle non ip packets. You could use snort to grab the ip packets with the rule supplied by Jeffrey, and you could use tcpdump at the same time to get all the non-ip packets with the following: tcpdump -i eth0 -w pcapfile -s 1514 not ipRadu On Wed, 2002-08-14 at 14:42, Dell, Jeffrey wrote:Use the rule: log ip any any <> any any This will log all ip packets. -----Original Message----- From: Radu Brumariu [mailto:brumariur () missouri edu] Sent: Wednesday, August 14, 2002 10:27 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Database plugin question Hi all, I would like to know if it is possible to trick snort into logging every packet that it sees to the database rather then log|alert? thanks, Radu ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Database plugin question Radu Brumariu (Aug 14)
- <Possible follow-ups>
- RE: Database plugin question Kevin Brown (Aug 14)
- RE: Database plugin question Dell, Jeffrey (Aug 14)
- RE: Database plugin question Radu Brumariu (Aug 14)
- Re: Database plugin question hackerwacker (Aug 14)
- Re: Database plugin question Phil Wood (Aug 14)
- Re: Database plugin question Radu Brumariu (Aug 15)
- Re: Database plugin question Phil Wood (Aug 15)
- RE: Database plugin question Radu Brumariu (Aug 14)