Snort mailing list archives
Re: Extracting Snort alerts from DB
From: elof () sentor se
Date: Tue, 18 Dec 2012 13:03:42 +0100 (CET)
If you're thinking of using db schema 107 (the usual one) you loose. The packet is not stored anywhere in the database. It is chopped up in bits and pieces that are stored all over the place. You'll have to write a script that glue all those pieces together again, put them in the correct place in the packet and add a correct pcap-header. There are missing bits of the packet, so your glued-together-packet will not have correct checksums. You also have to deal with offsets/values that need special treatment, e.g be converted before appended/inserted into the new packet. In short: I recommend you to extract the full packet as-is directly from the unified2 file or from the pcap-file that barnyard2 create instead of gluing together the chopped pieces from the database. /Elof On Tue, 18 Dec 2012, Peter Bates wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all Not strictly a Snort problem but I've been posting to snort-users since 2000 so hopefully someone might take pity on me. Running multiple instances of Snort, so the easiest output is to a DB (MySQL in this case) via Barnyard2 - and using the standard Snort DB schema. In the past I'd log to pcap files and look through those, but only having the database, what I'd like to do is a SELECT for all events which match a particular SID - or possibly a source IP. In that SELECT I'd also like the packet contents - which I can try and decode. Obviously I can look in BASE (or similar) but it's not the quickest interface for looking at the packet contents of 1000+ alerts. Has anyone with vastly superior SQL-fu done anything similar? - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJQ0E0FAAoJELhVoVpEMS6ROiUIAIfIXXWE+gMaZRi2aB+l6ZCI ahxltTxuTmPpEIxpHcdEkMiHGnTM5ffhRGrNBFkWdtVOZH6Dh9trostn+5I/Xsas Vrlv6dRGL2tx/uQWtHvE1NKnUK0naPaKIB9hP4dLMT/ptaugc6KIdKeP9gwUvttM D55IXZiPzFo+0KAQ+ahxi50HVP64kxiLQWtoD8uJFPn0kFoSqNiWvg4RFXY5H0ZX ouXjuYCRm+FYv9tMJt/Ff3sHT5q2O0+UfG5Z7y1XceFHWWFwZJe5I8WHf4TFepbk MwO/GwbUMr5h88WTk36a0bL/xlyl2DvoEzCXwereRVppZ2uLtliUfwdOPfZ+LdU= =J6Ps -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Extracting Snort alerts from DB Peter Bates (Dec 18)
- Re: Extracting Snort alerts from DB salawank (Dec 18)
- Re: Extracting Snort alerts from DB elof (Dec 18)
- Re: Extracting Snort alerts from DB Peter Bates (Dec 18)