[Snort-users] execute external program

Matt Kettler mkettler at ...4108...
Wed Oct 12 12:04:20 EDT 2005

Gaston Martres wrote:
> Hi.
> I was wondering if is possible to execute an external program when a
> event or alert in snort is triggered.
> I was looking on google, but, or I have searched in a wrong way or this
> is not possible.

It is not possible. See the FAQ on getting snort to email you.

Executing a process directly from snort is so expensive it would bog snort down
and cause it to miss a very substantial number of packets.

In general a better way is to use swatch or logsurfer to monitor the snort logs
and trigger processes. This is a little less "real-time", but it should happen
within a hundred milliseconds or so.


More information about the Snort-users mailing list