[Snort-users] output plugins... execute command?

Matt Kettler mkettler at ...4108...
Wed Nov 5 16:35:04 EST 2003


At 04:31 PM 11/5/2003, David R. wrote:
>I'm sorry if this seems like such an obvious question, but is there an 
>output plugin that will execute a shell command? I haven't found any 
>evience of one so far. If not, why not? I would like to send SMS messages 
>to my cell when an alert or attack comes up, but the way I see it now I 
>would have to use a third-party program to monitor the snort alert file... 
>Doesn't it seem more logical to be able to issue these alerts direction 
>from snort itself?

No, it doesn't have that output plugin because it's a security hole.

Command execution is INSANELY slow by comparison to the speed at which 
snort needs to operate.. this would cause snort to drop a very large 
numbers of packets, opening the door for someone to attack your network 
without being noticed while snort spent time executing a process.

This is really the domain of logwatching tools like logwatch, swatch, etc.. 
read the FAQ about getting snort to send you email.

The only disadvantage of a log watcher is that it might take it a few 
hundred milliseconds to start responding.. but in the case of an email, or 
sms message, that overhead isn't noticeable. It will take at least twice as 
long just for the message to send.






More information about the Snort-users mailing list