Snort mailing list archives

Re: how to convert payload data from MySQL data table to tcpdump formated data?

From: Sam Wun <sam.wun () thales-is com>
Date: Thu, 23 Oct 2003 12:46:01 +0800

Erek Adams wrote:

On Wed, 22 Oct 2003, samwun wrote:

I got the following snort data install in the Data table in MySQL:

|   1 | 2082 |
485454502F312E312034303320466F7262696464656E0D0A446174653A205765642C2032
32204F637420323030332031333A35363A333420474D540D0A5365727665723A20417061
6368652F322E302E3430202852656420486174204C696E7578290D0A4163636570742D52
616E6765733A2062797465730D0A436F6E74656E742D4C656E6774683A20323839380D0A
436F6E6E656374696F6E3A20636C6F73650D0A436F6E74656E742D547970653A20746578
742F68746D6C3B20636861727365743D49534F2D383835392D310D0A0D0A |

How can I convert the above data_payload to a tcpdump formatted file
like the following tcpdump command:

Tcpdump -vv -X , which should include Hex data on the left and text at
the right.


If you just want to read the data, just re-run Snort over your binary
file--No need to deal with the MySQL data.

        snort -dvr <pcap_file>

If you have to use tcpdump, change the snaplen.

The problem is there is no bniary files being locked in the/var/log/snort directory. there is only an alert file there. All dataincluding payload data is stored in MySQL table.If there is payload data in the /var/log/snort/ subdirectories, Iwouldn't need to extract payload data from MySQL table and convert itback to tcpudmp formated data for analysis.


Thanks
Sam




-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: byte_test and Snortcenter, (continued)
- RE: byte_test and Snortcenter snort (Oct 16)
  - [Snort-Users] Patching Snort with SnortSAM Daniél Haslinger (Oct 19)
    - script to extract payload info from mysql snort table samwun (Oct 19)
    - error in running SnortSnarf samwun (Oct 19)
    - Re: [Snort-Users] Patching Snort with SnortSAM Frank Knobbe (Oct 19)
    - how to populate snort payload data to MySQL? samwun (Oct 22)
    - RE: how to populate snort payload data to MySQL? Jeff Dell (Oct 22)
    - RE: how to populate snort payload data to MySQL? samwun (Oct 22)
    - how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 22)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Erek Adams (Oct 22)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Sam Wun (Oct 23)
    - Distributed tcpdump output log file from snort. sam (Oct 23)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 24)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? Jeff Dell (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
    - Re: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)
    - RE: how to populate snort payload data to MySQL? samwun (Oct 22)
    - RE: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)

(Thread continues...)