[Snort-users] execute external program

Matt Kettler mkettler at ...4108...
Wed Oct 12 12:04:20 EDT 2005


Gaston Martres wrote:
> Hi.
> 
> I was wondering if is possible to execute an external program when a
> event or alert in snort is triggered.
> 
> I was looking on google, but, or I have searched in a wrong way or this
> is not possible.

It is not possible. See the FAQ on getting snort to email you.

Executing a process directly from snort is so expensive it would bog snort down
and cause it to miss a very substantial number of packets.


In general a better way is to use swatch or logsurfer to monitor the snort logs
and trigger processes. This is a little less "real-time", but it should happen
within a hundred milliseconds or so.

http://www.snort.org/docs/faq/1Q05/node94.html




More information about the Snort-users mailing list