Snort mailing list archives
RE: how to populate snort payload data to MySQL?
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Wed, 22 Oct 2003 11:24:08 -0500 (CDT)
I am not familiar with what -vv -X does to tcpdump but I am very familiar with the format of the payload data. It is in hexadecimal format with two characters per number. Take the characters two at a time and convert the hexadecimal number to a character. e.g. 2F3031323334353637 Data length = 18 characters This corresponds to nine hexadecimal numbers. Hex Character 2F = / 30 = 0 31 = 1 32 = 2 33 = 3 34 = 4 35 = 5 36 = 6 37 = 7 Ken Arnold On Wed, 22 Oct 2003, samwun wrote:
Thanks for the reply. How can I convert data in field data_payload in the table data to tcpdump formatted output (eg. output from the commandline tcpdump -vv -X ...) Thanks Sam -----Original Message----- From: Kenneth G. Arnold [mailto:bkarnold () cbu edu] Sent: Wednesday, October 22, 2003 10:49 PM To: samwun Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] how to populate snort payload data to MySQL? Yes, the payload data is stored in the MySQL tables. The payload data is stored in the MySQL table of "data". You can verify that this table has information in it by doing: mysql> use snort Database changed mysql> select count(*) from data; +----------+ | count(*) | +----------+ | 167742 | +----------+ 1 row in set (0.00 sec) mysql> desc data -> ; +--------------+------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +--------------+------------------+------+-----+---------+-------+ | sid | int(10) unsigned | | PRI | 0 | | | cid | int(10) unsigned | | PRI | 0 | | | data_payload | text | YES | | NULL | | +--------------+------------------+------+-----+---------+-------+ 3 rows in set (0.03 sec) mysql> The payload data is retrieved by sid and cid values. Ken Arnold On Wed, 22 Oct 2003, samwun wrote:Dear all, I've been searched around in google but could not find a solution. I've also changed the snort.conf confniguration so that it has the following line enable: output database: log, mysql, user=snort password=new_password dbname=snort host=localhost encoding=hex detail=full Although added the line econding=hex and detail=full to the aboveline,but I still don't find a way to see full logging appear in MySQLtables.Is the payload data really logged to the Mysql tables? How can I know it? Please see the following tables in MySQL: mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | data | | detail | | encoding | | event | | flags | | icmphdr | | iphdr | | opt | | protocols | | reference | | reference_system | | schema | | sensor | | services | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 23 rows in set (0.00 sec) mysql> Which tables contains payload data? Thanks Sam ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win$100http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: how to convert payload data from MySQL data table to tcpdump formated data?, (continued)
- Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 24)
- Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 23)
- RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
- RE: how to convert payload data from MySQL data table to tcpdump formated data? Jeff Dell (Oct 23)
- RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
- RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
- Re: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)
- RE: how to populate snort payload data to MySQL? samwun (Oct 22)
- RE: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)
- snort tcpdump binary file mirroing over network. samwun (Oct 24)
- Re: snort tcpdump binary file mirroing over network. Erek Adams (Oct 24)
- RE: snort tcpdump binary file mirroing over network. samwun (Oct 24)
- Re: snort tcpdump binary file mirroing over network. Jason Haar (Oct 25)
- Re: snort tcpdump binary file mirroing over network. Chris Green (Oct 24)