Re: AW: [Snort-users] How to Import Alert-Files into MySQL?

On Thu, 16 Dec 2004 14:42:21 +0100, Philipp <ph.ilipp@gmx.net> wrote:
> Sorry for posting twice and thanks for the answer, but there is a
> misunderstanding. I have several alert files (from /var/log/snort) from some
> experimental honeypots in amount of nearly 1GB. There I have only logged
> them in text mode. For the Analysis now, I want them to import into a mysql
> database on the analysis-box for statistical manner with tools like ACID or
> the Honeynet Security Console. Some workaround was to replay (tcpreplay) the
> binary-logs to a virtual interface and analyse them with snort again logging
> to mysql, but all time-information is lost in this way.
> Again the question, is there a easy way to import them without writing a
> perl-script?
> I already found
> http://archives.neohapsis.com/archiv...1-03/0202.html, but it was
> written for snort v1.6x and doesn't fit the newer versions.
> Regards,
> Philipp

If you still have the pcap for the traffic in question you just need
to use 'snort -r' to re-read the pcaps again (no need to replay them
using tcpreplay). Converting ASCII logs to DB is a daunting task, and
it would involve some scripting at least...

/Michael Boman


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users