Hi there, Tenable's Passive Vulnerability Scanner can read PCAPs and convert 100s of protocols into a log file or stream the syslog to your log collector including SQL queries.
Here are some example sanitized logs: <36>Dec 02 14:44:17 pvs: A.B.C.D:1433|W.X.Y.Z:1433|6|7019|Database command logging|PVS has observed the following command from a database client to the database server (W.X.Y.Z): SELECT [ExternalRequests].[ID], [ExternalRequests].[WebPlatformConfigId], [ExternalRequests].[MappingName], [ExternalRequests].[TransactionNumber], [ExternalRequests].[ExternalId], [ExternalRequests].[State], [ExternalRequests].[Response] FROM [ExternalRequests] WHERE TransactionNumber = @0 ORDER BY ID DESC||NONE <36>Dec 02 15:09:31 pvs: A.B.C.D:1433|W.X.Y.Z:1433|6|7019|Database command logging|PVS has observed the following command from a database client to the database server W.X.Y.Z): SELECT * FROM EmailRouting||NONE <36>Dec 02 14:50:22 pvs: A.B.C.D:1433|W.X.Y.Z:1433|6|7019|Database command logging|PVS has observed the following command from a database client to the database server (W.X.Y.Z): SELECT * FROM Transactions t JOIN Users u ON (t.Username = u.Username) WHERE TransactionNumber = @TransactionNumber;||NONE There is a post here about how to analyze the recent PHP malware attack PCAP from Barracuda Labs which has a good example of how to create the logs from the pcap. It doesn't show SQL, but you get the jist of what PVS can do to create logs: https://discussions.nessus.org/docs/DOC-1044 The PVS finds applications and vulns in network traffic to produce a Nessus style report as well as realtime logs. Tenable offers a free evaluation of the PVS, which runs on Windows and Linux, at this link: http://www.tenable.com/products/passive-vulnerability-scanner It's also part of our SecurityCenter Continuous View solution which lets you put as many Nesssus and PVS sensors on your network that you need to ensure you have enough realtime monitoring of your network. Ron Gula, CEO Tenable Network Security On 11/25/13 6:09 PM, "Robin Wood" <[email protected]> wrote: >I've got a pcap which contains unencrypted MSSQL traffic, can anyone >recommend an app which will extract all the SQL? > >I can see it in Wireshark but it isn't decoding it for some reason, if >I save the packets as text I can manipulate it into mostly readable >form by some simple replaces but would rather a nice clean extraction, >especially as I know this has usernames and passwords in. > >Robin >_______________________________________________ >Pauldotcom mailing list >[email protected] >http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
