[Snort-users] run a user+defined program

Bennett Todd bet at ...6163...
Fri Jul 25 08:48:02 EDT 2003


2003-07-25T04:33:24 Taylan han:
> is it possilbe tu run a user defined commad if an alert has been
> received from snort? how? would you please help me on this..

Easy. Use something like swatch or sec to tail the logfile, and
trigger execution of the command. Decouple such from the snort
process --- and as your load goes up, be prepared to move the
log+tailer+external-cmd to a completely separate machine. Syslog is
an easy way to do this.

Snort doesn't have provisions to directly execute a program on
alert, and doesn't want such a feature --- it would destroy the
performance.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030725/ce8f6605/attachment.sig>


More information about the Snort-users mailing list