Snort mailing list archives
Re: mysql to pcap?
From: "Ryan Jordan" <jjordan () sourcefire com>
Date: Fri, 29 Aug 2008 14:12:42 -0400
I'm not sure what third-party tool you're using or what's stored in your database, but there's a little tool bundled with the SnortSP beta that converts unified2 files directly into pcaps. It's in the src/tools/u2boat directory. If you're logging in Unified2, it'll save you the trouble of trying to convert that to text suitable for text2pcap. Can't help you with the scripting magic, though. :) You can download SnortSP here: http://www.snort.org/dl/snortsp/ On Fri, Aug 29, 2008 at 12:42 PM, Tim Maletic <tmaletic () gmail com> wrote:
I'm viewing snort events through a third-party tool that is fetching the data from the mysql database snort is logging to. I want to be able to select a particular event in the third-party tool and view it in wireshark, so that I can subject the payload to wireshark's protocol parsers. Oh, and I want to do it right there, bam!, with one click. I don't want to go trolling through some unified log file on some remote snort sensor trying to find my packet. Well, all the data I need to hand to text2pcap and wireshark is in mysql. Seems like I could just write up a script that, given a cid, fetches the hex-encoded payload, formats the payload as needed by text2pcap, fetches the header data to also hand to text2pcap to populate the dummy header parameters that it supports, and throw the result at wireshark. But someone must have done this already. Right? :) -tm ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- mysql to pcap? Tim Maletic (Aug 29)
- Re: mysql to pcap? Jack Pepper (Aug 29)
- Re: mysql to pcap? Ryan Jordan (Aug 29)
- Re: mysql to pcap? Dirk Geschke (Aug 30)
- Re: mysql to pcap? Jason (Sep 02)
- Re: mysql to pcap? Dirk Geschke (Sep 02)
- Re: mysql to pcap? Jason (Sep 02)
- Re: mysql to pcap? David J. Bianco (Aug 30)
- Re: mysql to pcap? Richard Bejtlich (Aug 31)