Snort mailing list archives
Re: mysql to pcap?
From: "David J. Bianco" <david () vorant com>
Date: Sat, 30 Aug 2008 23:26:05 -0400
This might be a more complicated solution than you're looking for, but check out Sguil (www.sguil.net). It captures PCAP in addition to snort alerts (and network session logs as well), so when you're examining an event, you can easily reference the PCAP data for the entire network session, not just the single packet which caused the alert. If you're ready to start looking at PCAP, you might as well go whole hog with it. David Tim Maletic wrote:
I'm viewing snort events through a third-party tool that is fetching the data from the mysql database snort is logging to. I want to be able to select a particular event in the third-party tool and view it in wireshark, so that I can subject the payload to wireshark's protocol parsers.
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- mysql to pcap? Tim Maletic (Aug 29)
- Re: mysql to pcap? Jack Pepper (Aug 29)
- Re: mysql to pcap? Ryan Jordan (Aug 29)
- Re: mysql to pcap? Dirk Geschke (Aug 30)
- Re: mysql to pcap? Jason (Sep 02)
- Re: mysql to pcap? Dirk Geschke (Sep 02)
- Re: mysql to pcap? Jason (Sep 02)
- Re: mysql to pcap? David J. Bianco (Aug 30)
- Re: mysql to pcap? Richard Bejtlich (Aug 31)