Link to home
Start Free TrialLog in
Avatar of raghuni
raghuni

asked on

Importing Snort's tcpdump into mysql

We crated snort database using the schema file "create_mysql" in mysql database.
After running the snort with -L option for some time (ex: snort -L tcpdump.log), we want to import the data in tcpdump.log into snort database which we have created earlier in mysql. How to that ?
Avatar of noci
noci

Right..., to fill the database you need to add a special line to the snort config file,
along:

output database: log, mysql, dbname=snort, username=snort.....
or
output database: alert, mysql, dbname=snort, username=snort, password=....

If everything has been install correctly there is a configuration description in the file called README.database
then everything will be put into the database by snort itself....... No need to import.

In the mean time I will look if I can find a solution to the actual question..... ;-)
If you configure snort to log everything to MySQL according to the docs you should be able to reread
the binary log with 'snort -r tcpdump.log' to process all packets again and get them into the database.

The file has tcpdump format, ethereal et al can read them, but packets are encapsulated within a
"SNORT-protocol" that shows up as ip-proto-255 with some cause code appended.
Avatar of raghuni

ASKER

I already had some tcpdump file. I want to dump the content of the this file into snort database.
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial