Re: Database plugin question

[Radu Brumariu <brumariur () missouri edu>]

Yes, this is very close to what i thought. 
Acctually I have some trace files, that I want to filter through snort,
but i need the database populated with all the packets found in the
trace. that's because I want to initially remove some rules and then try
to produce them , using some algorithm. I just need to run the algorithm
on the whole database, ip or not ip, just everything that the nic will
see.
I am also considering modifying tcpdump so it will log to a database
rather than flat file.

Let me know what you think.

Thanks,
Radu



On Wed, 2002-08-14 at 16:31, Phil Wood wrote:
> On Wed, Aug 14, 2002 at 10:13:47AM -0500, Radu Brumariu wrote:
> > Thanks, Jeffrey for the input. 
> > However, I would like snort to log _all_ the packets that it sees,
> > including arp,igrp,gre, etc.
>
> I would use tcpdump for that:
>
>   tcpdump -i eth0 -w pcapfile -s 1514
>
> You can even feed that file into snort for analysis.  Instead of -i, use
>
>   -r pcapfile
>
> snort does not handle non ip packets.  You could use snort to grab the
> ip packets with the rule supplied by Jeffrey, and you could use tcpdump at
> the same time to get all the non-ip packets with the following:
>
>   tcpdump -i eth0 -w pcapfile -s 1514 not ip
>
> > Radu
> >
> >
> > On Wed, 2002-08-14 at 14:42, Dell, Jeffrey wrote:
> > > Use the rule:
> > >
> > > log ip any any <> any any 
> > >
> > > This will log all ip packets.
> > >
> > > -----Original Message-----
> > > From: Radu Brumariu [mailto:brumariur () missouri edu] 
> > > Sent: Wednesday, August 14, 2002 10:27 AM
> > > To: snort-users () lists sourceforge net
> > > Subject: [Snort-users] Database plugin question
> > >
> > >
> > >
> > > Hi all,
> > > I would like to know if it is possible to trick snort into logging every
> > > packet that it sees to the database rather then log|alert?
> > >
> > > thanks,
> > > Radu
> > >
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: Dice - The leading online job board for
> > > high-tech professionals. Search and apply for tech jobs today!
> > > http://seeker.dice.com/seeker.epl?rel_code=31
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Dice - The leading online job board
> > for high-tech professionals. Search and apply for tech jobs today!
> > http://seeker.dice.com/seeker.epl?rel_code=31
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> -- 
> Phil Wood, cpw () lanl gov




-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users