[unisog] Snort woes

Andreas Östling andreaso at it.su.se
Mon Jan 24 21:13:13 GMT 2005


On Mon, 24 Jan 2005, Michael Holstein wrote:
...
> PS : while we're on the subject, does anyone know of a frontend for the 
> snort_db that can graphically reassemble the packets generated under the 
> 'tag' directive? Or an easy to post-process them into a tcpdump file (without 
> using the binary mode)?

You could extract the payload from the db, reformat it, and pass it to 
text2pcap (a tool distributed with Ethereal) to create a tcpdump file. 
This is how Pigris[0] does it when opening alerts in Ethereal etc. It's 
kind of a quick and dirty hack but still very useful for some purposes, 
although I'd use real pcap logging in parallel anyway.

[0] Just some screenshots for the interested:
http://people.su.se/~andreaso/pigris/screenshots/

/Andreas



More information about the unisog mailing list