Re: remote tcpdump output & analysis (database)

[Dirk Geschke <Dirk () geschke-online de>]

Hi John,

> From inside ACID, you can't tell where it's coming from. 
> What I'm having to do is go to the sensor, pull the tcpdump 
> logfile, and run ethereal on it to get the source MAC address,
> then go hunt that up in the switch databases. I believe, however, 
> that the full packet data is stored in the mysql database. Does 
> anyone know whether this is true, and if a quick hack to ACID might
> enable display of it? If that's too big a deal, might there be a 
> quick and easy way to dump the binary packet info from the database
> to a file without going to the remote sensor? Then I could just run 
> ethereal on that...

I had the same idea some time ago but didn´t found the time
to realize it yet.

The database does not contain the whole packet, only the payload
relative to the alert entry, e.g. on tcp alerts it only contains
the tcp payload. Some tcp options and flags and some IP information
are also available. But this is not enough to rebuild the packet.

On the other hand it is quite simple to extend the database
plugin to store all data in the payload field. But normally
you can't store the binary data, you have to transform it
in something else like hex or base64.

If I find the time I will extend FLoP by this feature and
create a perl script to rebuild the pcap file so that 
ethereal is able to read it. 

Best regards

Dirk



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users