Snort mailing list archives

RE: how to convert payload data from MySQL data table to tcpdump formated data?

From: "samwun" <samwun () hgcbroadband com>
Date: Fri, 24 Oct 2003 09:23:20 +0800

Hi Jeff,

How can I add tcpdump output module to my config file? 

My snort.conf file has the following config line enabled:
output database: log, mysql, user=snort password=new_password
dbname=snort host=localhost detail=full

Here is how I start snort in the /etc/init.d/snort file:

[root@nids init.d]# !ps
ps -auxww | grep snort
root     21751  0.0  7.1 31420 27368 ?       R    Oct22   0:27
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort -vd -e -X
-D

Thanks 
Sam


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jeff Dell
Sent: Friday, October 24, 2003 1:36 AM
To: 'samwun'
Cc: 'snort-users mailinglist'
Subject: RE: [Snort-users] how to convert payload data from MySQL data
table to tcpdump formated data?

No need to rebuild a packet.. Try Adding the tcpdump output module to
your config.

output log_tcpdump: snort.log

Will put all log events to a tcpdump file snort.log.

Jeff

Aw! I just discovered that the logged data is NOT the entire packet,
just
the protocol data payload. Damn!

Is there some way to rebuild the entire packet from the data logged to
ACID?








-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: how to populate snort payload data to MySQL?, (continued)
- - - RE: how to populate snort payload data to MySQL? Jeff Dell (Oct 22)
    - RE: how to populate snort payload data to MySQL? samwun (Oct 22)
    - how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 22)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Erek Adams (Oct 22)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Sam Wun (Oct 23)
    - Distributed tcpdump output log file from snort. sam (Oct 23)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 24)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? Jeff Dell (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
    - Re: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)
    - RE: how to populate snort payload data to MySQL? samwun (Oct 22)
    - RE: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)
    - snort tcpdump binary file mirroing over network. samwun (Oct 24)
    - Re: snort tcpdump binary file mirroing over network. Erek Adams (Oct 24)
    - RE: snort tcpdump binary file mirroing over network. samwun (Oct 24)
    - Re: snort tcpdump binary file mirroing over network. Jason Haar (Oct 25)
    - Re: snort tcpdump binary file mirroing over network. Chris Green (Oct 24)