[Snort-users] Need help with snort output to bash script.

Matt Kettler mkettler at ...4108...
Wed May 5 12:36:01 EDT 2004


At 01:11 PM 5/4/2004, Thomas Lauret wrote:
>OK perhaps someone here can help me.
>I want to get snort to run a bash script with the
>originating ip address of an event as a variable.
>I want that as an output instead of it being logged,
>just run a script, with the attacking ip address as a
>variable.
>How do I do it ?

You don't.

The overhead of executing a bash script would crush snort's performance, 
leading to loss of large numbers of packets, and results in possible missed 
attacks and render your snort system largely useless as attackers could 
evade it with great ease.

Fundamentally, what is it that you're trying to accomplish? Perhaps there's 
a different way.

Normally you'd want to Log the packets, and have a logwatcher call your 
bash script when events of interest happen.





More information about the Snort-users mailing list