Hi, I'm not sure if anyone is interested in this,
I've added the ips and the hostnames in the event
table, the fields are updated by a script, see below
for an example.

Get the scripts from ftp://onesite.org/pub/snort.tar.gz
change the connection parameters and launch snort.py,
it updates new rows. Apply the patch in a comment at
the top of snort.py first to add new columns and indexes.

It doesn't reuse already stored resolved hostnames
(they should be in the dns cache, right ?)
If anyone is using it tell me.

I wrote in on Linux Debian with Python 2.1 and
MySQLdb

Alain

mysql> select * from event limit 3;
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-------------------
---+
| sid | cid | signature | timestamp |
ip_src | ip_dst | dns_src | dns_dst
|
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-------------------
---+
| 1 | 1 | ICMP Echo Request CyberKit 2.2 Windows | 2001-05-26 16:28:23 |
172.173.75.254 | 64.242.40.20 | ACAD4BFE.ipt.aol.com | ns.floc.net
|
| 1 | 2 | ICMP Echo Reply | 2001-05-26 16:28:23 |
64.242.40.20 | 172.173.75.254 | ns.floc.net |
ACAD4BFE.ipt.aol.com |
| 1 | 3 | ICMP Echo Request Windows | 2001-05-26 16:44:06 |
172.173.75.254 | 64.242.40.20 | ACAD4BFE.ipt.aol.com | ns.floc.net
|
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-------------------
---+
3 rows in set (0.01 sec)

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]