Re: Extracting Snort alerts from DB

[elof () sentor se]

If you're thinking of using db schema 107 (the usual one) you loose.
The packet is not stored anywhere in the database.
It is chopped up in bits and pieces that are stored all over the place.

You'll have to write a script that glue all those pieces together again, 
put them in the correct place in the packet and add a correct pcap-header.

There are missing bits of the packet, so your glued-together-packet will 
not have correct checksums.
You also have to deal with offsets/values that need special 
treatment, e.g be converted before appended/inserted into the new packet.

In short:
I recommend you to extract the full packet as-is directly from the 
unified2 file or from the pcap-file that barnyard2 create instead of 
gluing together the chopped pieces from the database.

/Elof


On Tue, 18 Dec 2012, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> Not strictly a Snort problem but I've
> been posting to snort-users since 2000 so hopefully
> someone might take pity on me.
>
> Running multiple instances of Snort, so the easiest output
> is to a DB (MySQL in this case) via Barnyard2 - and using the
> standard Snort DB schema.
>
> In the past I'd log to pcap files and look through those, but
> only having the database, what I'd like to do is a SELECT for
> all events which match a particular SID - or possibly a source IP.
>
> In that SELECT I'd also like the packet contents - which I can try
> and decode.
>
> Obviously I can look in BASE (or similar) but it's not the quickest
> interface for looking at the packet contents of 1000+ alerts.
>
> Has anyone with vastly superior SQL-fu done anything similar?
>
> - --
> Peter Bates
> Senior Information Security Officer   Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJQ0E0FAAoJELhVoVpEMS6ROiUIAIfIXXWE+gMaZRi2aB+l6ZCI
> ahxltTxuTmPpEIxpHcdEkMiHGnTM5ffhRGrNBFkWdtVOZH6Dh9trostn+5I/Xsas
> Vrlv6dRGL2tx/uQWtHvE1NKnUK0naPaKIB9hP4dLMT/ptaugc6KIdKeP9gwUvttM
> D55IXZiPzFo+0KAQ+ahxi50HVP64kxiLQWtoD8uJFPn0kFoSqNiWvg4RFXY5H0ZX
> ouXjuYCRm+FYv9tMJt/Ff3sHT5q2O0+UfG5Z7y1XceFHWWFwZJe5I8WHf4TFepbk
> MwO/GwbUMr5h88WTk36a0bL/xlyl2DvoEzCXwereRVppZ2uLtliUfwdOPfZ+LdU=
> =J6Ps
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!