Re: faking database entries

[roman () danyliw com]

> Hi,
>  I asked a while back about incorporating arpwatch into snort... then
> someone said it was being worked on but I haven't heard about it since...
> I figured the easiest way for me to get arpwatch integrated is to parse
> its alerts and fake database entries as if they came from snort itself...

Examine spp_arpspoof.c for ARP support in snort 1.8.

> With all the optimizations in the database, I wanted to ask for the
> official lowdown on what has to be fiddled with for this kind of entry to
> work out... I'm using Snort v1.7 with ACID v0.9.6b10 - I would rather not
> upgrade to snort v1.8 if I don't have to because this is part of a final
> project for my degree(final==must finish).

Several changes have been made to the DB schema since 1.7.
However, the one which will affect you most will be the 
normalization of signatures.  Instead of writting the sig name
into the event table, a sig_id is stored.  The sig_id => sig_name
translation is found in the signature table.

Also of concern to you may be the deprecation of the octet
based IP addresses (i.e. ip_src0 - ip_src3; ip_dst0 - ip_dst3)
in favor of an unsigned 32-bit integer.

I would suspect that signature classification, priority, and 
references are of little concern if you are "faking" DB entries.

When you are done, we would all be interested in the code. ;-)

Roman


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users