Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AIM decoding

From: Erek Adams <erek () snort org>
Date: Wed, 17 Sep 2003 10:23:33 -0400 (EDT)
On Wed, 17 Sep 2003, JJ wrote:


I was actually hoping someone had code that would pull the send/receive
message alerts out of a MySQL database and print out the decoded chat
session.  More specifically, I was hoping for perl.

At any rate, I will probably code something up that will pull the chat
sessions, by date and IP, out of the MySQL server for use in waste,
fraud and abuse (WFA) cases.

If anyone knows something that does this, please let me know.


Snort's the wrong tool for that.

When it logs something to the DB, the only thing (in the default rules)
that gets logged is one packet.  Not enough for a conversation, just the
start of one or some 'random point' in the converstation.

You might do better to log all outgoing traffic on port 5190 to disk and
replay it into Snort and some sort of script to dump it into a DB.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: