Snort mailing list archives
Re: Weird question
From: Erek Adams <erek () snort org>
Date: Tue, 5 Aug 2003 10:35:58 -0400 (EDT)
On Mon, 4 Aug 2003, Paul Schmehl wrote:
Now promise you won't laugh......is there a way to reassemble packets that have been fed from snort to mysql? Believe or not, the networking guys want something they can look at in tcpdump or ethereal. (Yes, I know how to enable that. I want to look at stuff that's already in the database.)
Not that wierd of a question. :) Short answer: No. Long answer: The entire stream isn't saved to the DB. Only the packet that caused the alert. This is where saving the alerting packets to binary (pcap) form is handy. I'd suggest begging, borrowing, or stealing more disk space and running double logging. One to DB, one to pcap. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Application Logging 2 monroe (Aug 03)
- PCAP stats problem Yanyan Yang (Aug 04)
- Weird question Paul Schmehl (Aug 04)
- Re: Weird question Erek Adams (Aug 05)
- RE: Weird question support (Aug 05)
- RE: Weird question Erek Adams (Aug 06)
- Weird question Paul Schmehl (Aug 04)
- PCAP stats problem Yanyan Yang (Aug 04)
- Re: PCAP stats problem Erek Adams (Aug 05)