Snort mailing list archives

Re: mysql to pcap?

From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Fri, 29 Aug 2008 11:52:41 -0500

I changed the post processor so what gets written to the DB is a  
base64 encoded hash of the raw pcap data.  for exactly this reason.

jp

Quoting Tim Maletic <tmaletic () gmail com>:

I'm viewing snort events through a third-party tool that is fetching
the data from the mysql database snort is logging to.  I want to be
able to select a particular event in the third-party tool and view it
in wireshark, so that I can subject the payload to wireshark's
protocol parsers.

Oh, and I want to do it right there, bam!, with one click.  I don't
want to go trolling through some unified log file on some remote snort
sensor trying to find my packet.

Well, all the data I need to hand to text2pcap and wireshark is in
mysql.  Seems like I could just write up a script that, given a cid,
fetches the hex-encoded payload, formats the payload as needed by
text2pcap, fetches the header data to also hand to text2pcap to
populate the dummy header parameters that it supports, and throw the
result at wireshark.

But someone must have done this already.  Right?  :)
-tm

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

mysql to pcap? Tim Maletic (Aug 29)
- Re: mysql to pcap? Jack Pepper (Aug 29)
- Re: mysql to pcap? Ryan Jordan (Aug 29)
- Re: mysql to pcap? Dirk Geschke (Aug 30)
  - Re: mysql to pcap? Jason (Sep 02)
    - Re: mysql to pcap? Dirk Geschke (Sep 02)
- Re: mysql to pcap? David J. Bianco (Aug 30)
  - Re: mysql to pcap? Richard Bejtlich (Aug 31)