Solved

Importing Snort's tcpdump into mysql

Posted on 2006-07-12
6
1,460 Views
Last Modified: 2006-11-18
We crated snort database using the schema file "create_mysql" in mysql database.
After running the snort with -L option for some time (ex: snort -L tcpdump.log), we want to import the data in tcpdump.log into snort database which we have created earlier in mysql. How to that ?
0
Comment
Question by:raghuni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 40

Expert Comment

by:noci
ID: 17093757
Right..., to fill the database you need to add a special line to the snort config file,
along:

output database: log, mysql, dbname=snort, username=snort.....
or
output database: alert, mysql, dbname=snort, username=snort, password=....

If everything has been install correctly there is a configuration description in the file called README.database
then everything will be put into the database by snort itself....... No need to import.

In the mean time I will look if I can find a solution to the actual question..... ;-)
0
 
LVL 40

Expert Comment

by:noci
ID: 17095076
If you configure snort to log everything to MySQL according to the docs you should be able to reread
the binary log with 'snort -r tcpdump.log' to process all packets again and get them into the database.

The file has tcpdump format, ethereal et al can read them, but packets are encapsulated within a
"SNORT-protocol" that shows up as ip-proto-255 with some cause code appended.
0
 

Author Comment

by:raghuni
ID: 17096606
I already had some tcpdump file. I want to dump the content of the this file into snort database.
0
 
LVL 40

Accepted Solution

by:
noci earned 200 total points
ID: 17097067
'snort -r tcpdump.log'

from man snort:

    -r tcpdump-file
              Read  the  tcpdump-formatted file tcpdump-file.  This will cause Snort to read and process the file fed to it.  This is useful if,
              for instance, you've got a bunch of SHADOW files that you want to process for content, or even if you've got a bunch  of  reassem-
              bled packet fragments which have been written into a tcpdump formatted file.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question