Snort mailing list archives

RE: logging question

From: James Hoagland <hoagland () SiliconDefense com>
Date: Tue, 29 May 2001 11:55:54 -0700

At 12:23 PM -0400 5/25/01, Anthony Buser wrote:

Unfortunately so far as I know SnortSnarf cannot handle the tcpdump

This is true, but something you should be able to do is to run snortwith "-r" to read that tcpdump data and to output it in (for example)full alert format, which SnortSnarf can read.

data.  Which is one reason why I recently switched to Acid
(http://www.cert.org/kb/acid/) and used the database logging with snort.
So I added a line to my snort.conf like:

output database: log, mysql, user=xxx password=xxx dbname=snort
host=localhost sensor_name=netmon encoding=hex

The encoding=hex at the end puts the tcpdump into the database in hex
format which acid automatically turn it into human readable format and
show on the acid webpage when you drill down into the details.  You can
also tell the database plugin to automatically convert to plain text by
putting encoding=ascii.  That way you could develop your own tools to
view it if you don't want to use acid... or I guess maybe modify
snortsnarf to show it.

Being able to get input from a database is one of the motivatorsbehind the modularization of SnortSnarf. Now someone just needs towrite the input module. (Silicon Defense has no plans at this pointto do this ourselves.) If someone wants to work on this, I think anumber of people would be rather appreciative.


Kind regards,

  Jim

--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

logging question Fred Edwards (May 25)
- RE: logging question jan (May 25)
- <Possible follow-ups>
- RE: logging question Anthony Buser (May 25)
- RE: logging question Anthony Buser (May 25)
  - Re: logging question Fred Edwards (May 25)
  - RE: logging question James Hoagland (May 29)
- RE: logging question Anthony Buser (May 25)
  - RE: logging question Gregory Mingus (May 25)