Snort mailing list archives

Re: Weird question

From: Erek Adams <erek () snort org>
Date: Tue, 5 Aug 2003 10:35:58 -0400 (EDT)

On Mon, 4 Aug 2003, Paul Schmehl wrote:

Now promise you won't laugh......is there a way to reassemble packets that
have been fed from snort to mysql?  Believe or not, the networking guys
want something they can look at in tcpdump or ethereal.  (Yes, I know how
to enable that.  I want to look at stuff that's already in the database.)


Not that wierd of a question.  :)

Short answer:  No.

Long answer:  The entire stream isn't saved to the DB.  Only the packet
that caused the alert.  This is where saving the alerting packets to
binary (pcap) form is handy.  I'd suggest begging, borrowing, or stealing
more disk space and running double logging.  One to DB, one to pcap.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Application Logging 2 monroe (Aug 03)
- PCAP stats problem Yanyan Yang (Aug 04)
  - Weird question Paul Schmehl (Aug 04)
    - Re: Weird question Erek Adams (Aug 05)
    - RE: Weird question support (Aug 05)
    - RE: Weird question Erek Adams (Aug 06)
  - Re: PCAP stats problem Erek Adams (Aug 05)
- Re: Snort Application Logging 2 Erek Adams (Aug 05)