Hi Urko,
> Does anybody know how to change the Encoding format of the payload (from hex
> to ascii) without having to re-run the sql table creation script?
>
> I'm logging the data to a Postgres database, and I already tried to:
>
> - Change the snort configuration output to:
>
> output database: alert, postgresql, user=xxxxx dbname=xxxxxxx password=xxxxxx
> encoding=ascii detail=full
>
> (then restart snort and postgresql)
you do not need to restart postgresql, this should just work with the
running system. And yes, this is the way how endcoding should be changed
although this is only valid for new alerts.
Does this not work?
BTW: ascii is not the best method, it will replace all non-printable
bytes into dots...
> - Update the table sensor, and change encoding field to 2.
No, this was not a good idea. The sensor name is related to the
encoding. If you change the ecoding you will get a new sensor id
for the database. If you just change the encoding direclty in the
table then you will loose the information which alerts are in hex
format and which are in ascii. This is directly related to the
sensor id.
Regards
Dirk
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|