Snort mailing list archives

RE: how to populate snort payload data to MySQL?

From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Wed, 22 Oct 2003 11:24:08 -0500 (CDT)

I am not familiar with what -vv -X does to tcpdump but I am very familiar
with the format of the payload data. It is in hexadecimal format with two
characters per number.  Take the characters two at a time and
convert the hexadecimal number to a character.

e.g.


2F3031323334353637

Data length = 18 characters
This corresponds to nine hexadecimal numbers.

Hex  Character
2F = /
30 = 0
31 = 1
32 = 2
33 = 3
34 = 4
35 = 5
36 = 6
37 = 7

Ken Arnold


On Wed, 22 Oct 2003, samwun wrote:

Thanks for the reply. How can I convert data in field data_payload in
the table data to tcpdump formatted output (eg. output from the
commandline tcpdump -vv -X ...)

Thanks
Sam


-----Original Message-----
From: Kenneth G. Arnold [mailto:bkarnold () cbu edu]
Sent: Wednesday, October 22, 2003 10:49 PM
To: samwun
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] how to populate snort payload data to MySQL?

Yes, the payload data is stored in the MySQL tables. The payload data is
stored in the MySQL table of "data".  You can verify that this table has
information in it by doing:

mysql> use snort
Database changed
mysql> select count(*) from data;
+----------+
| count(*) |
+----------+
|   167742 |
+----------+
1 row in set (0.00 sec)

mysql> desc data
    -> ;
+--------------+------------------+------+-----+---------+-------+
| Field        | Type             | Null | Key | Default | Extra |
+--------------+------------------+------+-----+---------+-------+
| sid          | int(10) unsigned |      | PRI | 0       |       |
| cid          | int(10) unsigned |      | PRI | 0       |       |
| data_payload | text             | YES  |     | NULL    |       |
+--------------+------------------+------+-----+---------+-------+
3 rows in set (0.03 sec)

mysql>

The payload data is retrieved by sid and cid values.

Ken Arnold

On Wed, 22 Oct 2003, samwun wrote:

Dear all,

I've been searched around in google but could not find a solution.
I've also changed the snort.conf confniguration so that it has the
following line enable:
output database: log, mysql, user=snort password=new_password
dbname=snort host=localhost encoding=hex detail=full

Although added the line econding=hex and detail=full to the above

line,

but I still don't find a way to see full logging appear in MySQL

tables.


Is the payload data really logged to the Mysql tables? How can I know
it?

Please see the following tables in MySQL:
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| acid_ag          |
| acid_ag_alert    |
| acid_event       |
| acid_ip_cache    |
| data             |
| detail           |
| encoding         |
| event            |
| flags            |
| icmphdr          |
| iphdr            |
| opt              |
| protocols        |
| reference        |
| reference_system |
| schema           |
| sensor           |
| services         |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
23 rows in set (0.00 sec)

mysql>

Which tables contains payload data?

Thanks
Sam




-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win

$100

http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: how to convert payload data from MySQL data table to tcpdump formated data?, (continued)
- - - Re: how to convert payload data from MySQL data table to tcpdump formated data? Sam Wun (Oct 23)
    - Distributed tcpdump output log file from snort. sam (Oct 23)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 24)
    - Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? Jeff Dell (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
    - RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
    - Re: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)
    - RE: how to populate snort payload data to MySQL? samwun (Oct 22)
    - RE: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)
    - snort tcpdump binary file mirroing over network. samwun (Oct 24)
    - Re: snort tcpdump binary file mirroing over network. Erek Adams (Oct 24)
    - RE: snort tcpdump binary file mirroing over network. samwun (Oct 24)
    - Re: snort tcpdump binary file mirroing over network. Jason Haar (Oct 25)
    - Re: snort tcpdump binary file mirroing over network. Chris Green (Oct 24)