Snort mailing list archives
Re: faking database entries
From: roman () danyliw com
Date: Tue, 17 Jul 2001 10:34:19 US/Eastern
Hi, I asked a while back about incorporating arpwatch into snort... then someone said it was being worked on but I haven't heard about it since... I figured the easiest way for me to get arpwatch integrated is to parse its alerts and fake database entries as if they came from snort itself...
Examine spp_arpspoof.c for ARP support in snort 1.8.
With all the optimizations in the database, I wanted to ask for the official lowdown on what has to be fiddled with for this kind of entry to work out... I'm using Snort v1.7 with ACID v0.9.6b10 - I would rather not upgrade to snort v1.8 if I don't have to because this is part of a final project for my degree(final==must finish).
Several changes have been made to the DB schema since 1.7. However, the one which will affect you most will be the normalization of signatures. Instead of writting the sig name into the event table, a sig_id is stored. The sig_id => sig_name translation is found in the signature table. Also of concern to you may be the deprecation of the octet based IP addresses (i.e. ip_src0 - ip_src3; ip_dst0 - ip_dst3) in favor of an unsigned 32-bit integer. I would suspect that signature classification, priority, and references are of little concern if you are "faking" DB entries. When you are done, we would all be interested in the code. ;-) Roman --------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: faking database entries roman (Jul 17)