[Snort-users] Re: execute external program

Sam Evans wintrmte at ...11827...
Thu Oct 13 07:25:31 EDT 2005


Something else I would throw out is to use something like SEC (Simple Event
Correlator) to watch the log and then trigger on an event. This way it's
completely detached from Snort.

I use it quite extensively and have found it to be an invaluable tool.

http://sourceforge.net/projects/simple-evcorr/

HTH,
Sam

On 10/13/05, Simon Biles <simon.biles at ...11827...> wrote:
>
> Hi,
>
> Use alert_unixsock and alert to a socket, then write a small program
> to listen to the socket, and run whatever application that you choose
> upon reciept of the trigger.
>
> Below is a quick bit of Perl to listen to a socket ...
>
> #!/usr/bin/perl
>
> # Include the socket libraries
>
> use IO::Socket;
>
> # This is the template to capture the Alert Name
> # Edit this to get the additional packets.
>
> $TEMPLATE = "A256 A*";
>
> # Release the socket if it already exists
>
> unlink "/var/log/snort/snort_alert";
>
> # In case of user termination - exit gracefully.
>
> $SIG{TERM} = $SIG{INT} = sub { exit 0 };
>
> # Open up the socket.
> my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,
> Local => "/var/log/snort/snort_alert")
> or die "Socket: $@";
>
> print STDOUT "Socket Open ... \n";
>
> # Loop receiving data from the socket, pulling out the
> # alert name and printing it.
>
> my $data;
>
> while ( true ) {
> recv($client,$data,1024,0);
> @FIELDS = unpack($TEMPLATE, $data);
>
> # Insert your code here to do whatever ....
>
> print "@FIELDS[0] \n";
>
> }
>
> # At termination close up the socket again.
>
> END {unlink "/var/log/snort/snort_alert";}
>
> Have fun,
>
> Cheers,
>
> Si
>
> On 10/12/05, Matt Kettler <mkettler at ...4108...> wrote:
> > Gaston Martres wrote:
> > > Hi.
> > >
> > > I was wondering if is possible to execute an external program when a
> > > event or alert in snort is triggered.
> > >
> > > I was looking on google, but, or I have searched in a wrong way or
> this
> > > is not possible.
> >
> > It is not possible. See the FAQ on getting snort to email you.
> >
> > Executing a process directly from snort is so expensive it would bog
> snort
> > down
> > and cause it to miss a very substantial number of packets.
> >
> >
> > In general a better way is to use swatch or logsurfer to monitor the
> snort
> > logs
> > and trigger processes. This is a little less "real-time", but it should
> > happen
> > within a hundred milliseconds or so.
> >
> > http://www.snort.org/docs/faq/1Q05/node94.html
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Power Architecture Resource Center: Free content, downloads,
> discussions,
> > and more. http://solutions.newsforge.com/ibmarch.tmpl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> --
> Simon Biles
> CISSP, OPSA, BS7799 Lead Auditor, MBCS
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051013/bb2b0eb4/attachment.html>


More information about the Snort-users mailing list