Thread: [Secureideas-base-devel] FLoP support in BASE
Brought to you by:
secureideas,
sinukas
From: nikns <ni...@se...> - 2006-02-20 22:04:42
|
As you maybe heard FLoP (Fast Logging Project for Snort) http://www.geschke-online.de/FLoP/ has some nice advantages over snort build-in database output plugin. Last week I worked on FLoP support in BASE. First of all, BASE now can archive FLoP's extended db data additionaly to snort official schemas: `pcap_header and `data_header` from data table and `reference` from event table. With FLoP it is possible to log full payload from which we can later rebuild alert in pcap format which can be used to analyze it via tcpdump or ethereal to use their protocol analyzing features. So, it's like I ported FLoP's getpacket to php and integrated it in BASE. It's posible to rebild alert in pcap format like `Download of payload`. And, If we have data header we can get and show from it MAC addresses and vendor information, but complate MAC vendor mapping list is ~200kb. So from 1.8mb BASE would grow up to 2mb. I know that vendor mapping list is useless for BASE users who aren't using FLoP. So what you and Kevin thinks about that!? Would that be accaptable!? I haven't commited it jet. There is diff and screenshot how it looks in action ;) http://secure.lv/~nikns/stuff/base_flop_support.diff http://secure.lv/~nikns/stuff/base_flop_support.jpg Comments, corrections, suggestions!? e?:) |
From: Michael S. <ms...@ma...> - 2006-02-20 23:29:36
|
On Tue, Feb 21, 2006 at 12:04:26AM +0200, you wrote: >I know that vendor mapping list is useless for BASE users who aren't >using FLoP. Sounds like an optional download. In many (most?) cases all the mac vendor mapping is going to show is the manufacturer of your router. -- Michael Stone |
From: nikns <ni...@se...> - 2006-02-21 05:10:53
|
Right! On Mon, Feb 20, 2006 at 06:29:24PM -0500, Michael Stone wrote: >On Tue, Feb 21, 2006 at 12:04:26AM +0200, you wrote: >>I know that vendor mapping list is useless for BASE users who aren't >>using FLoP. > >Sounds like an optional download. In many (most?) cases all the mac vendor >mapping is going to show is the manufacturer of your router. > >-- >Michael Stone > > >------------------------------------------------------- >This SF.net email is sponsored by: Splunk Inc. Do you grep through log files >for problems? Stop! Download the new AJAX search engine that makes >searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 >_______________________________________________ >Secureideas-base-devel mailing list >Sec...@li... >https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel |