Snort mailing list archives
FW: remote tcpdump output & analysis (database)
From: "McCash, John" <John.McCash () andrew com>
Date: Fri, 30 Jan 2004 13:26:51 -0600
Hi Everyone, I've got a question which might be related to the recent postings about remote tcpdump logging. I'm currently doing remote logging to a mysql database, and have come across an issue with ACIDs analysis capabilities for this data. I have a few hosts with messed up Compaq Insight management agents, and they put traffic on the wire with a from address of 127.0.0.1. From inside ACID, you can't tell where it's coming from. What I'm having to do is go to the sensor, pull the tcpdump logfile, and run ethereal on it to get the source MAC address, then go hunt that up in the switch databases. I believe, however, that the full packet data is stored in the mysql database. Does anyone know whether this is true, and if a quick hack to ACID might enable display of it? If that's too big a deal, might there be a quick and easy way to dump the binary packet info from the database to a file without going to the remote sensor? Then I could just run ethereal on that... Thanks in advance John
------------------------------------------------------------------------------------------------ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any unauthorized use of this email is prohibited. ------------------------------------------------------------------------------------------------ [mf2] ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FW: remote tcpdump output & analysis (database) McCash, John (Jan 30)
- <Possible follow-ups>
- remote tcpdump output & analysis (database) McCash, John (Jan 31)
- Re: remote tcpdump output & analysis (database) Dirk Geschke (Jan 31)