[Snort-users] Output Plugin writing

eschnei at ...14108... eschnei at ...14108...
Fri Apr 27 08:51:44 EDT 2007


I guess I wasn't being clear enough earlier, my apologies. I need to use a
plug-in, or write a plug-in that allows me to take selected data from the
packet and put it in a pike delimited file so our reporting program we
already have in place can read the file. My problem is, I'm having trouble
finding a template to follow, and the attributes for the different data
structures, especially the Packet one. I hope that helps clear things up.

Thanks,
Brian

>
> I forgot to mention that you can use the ruby unified code that Caswell
> put out too.
>
> http://www.shmoo.com/~bmc/software/ruby/unified.html
>
>
> Jason Brvenik wrote:
>> best way is to use unified logging and barnyard or snortunified.pm to
>> create the formats you need.
>>
>> -- from the road
>>
>> -----Original Message-----
>> From: eschnei at ...14108...
>> Date: Thu, 26 Apr 2007 16:09:00
>> To:"Joel Esler" <joel.esler at ...1935...>
>> Cc:snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Output Plugin writing
>>
>> I have looked at the ruletypes, and that was what I was using at first.
>> The only problem is I need to pull out data from the packet and format
>> it
>> for our own reporting system, that is pike delimited.
>>
>> Brian
>>
>> Have you ever looked at the custom output options?  Search for the
>> word "redalert" in your snort.conf.
>>
>>
>> +---------------------------------------------------------------------+
>> Joel Esler                                         Security Consultant
>>      gpg key: http://demo.sourcefire.com/jesler.pgp.key
>> +---------------------------------------------------------------------+
>>
>>
>>
>> On Apr 26, 2007, at 3:19 PM, eschnei at ...14108... wrote:
>>
>>>>> Hi,
>>>>> I am a new snort user, I've been able to write some customized
>>>>> rules and
>>>>> look at different output options snort provides as a default. I
>>>>> want to
>>>>> have it only called when I hit my customized rules, and then based
>>>>> on the
>>>>> rule it hits and the attributes for the rule, I want the alert and
>>>>> packet
>>>>> data written to a specific file that isn't the alert file the other
>>>>> snort
>>>>> rules use. That being said, I am having trouble setting up the
>>>>> plugin, the
>>>>> different functions that need to be inside of it so snort can use it.
>>>>> Does anybody have a good template I might be able to use?  Thanks
>>>>> for your
>>>>> help.
>>>>>
>>>>> Brian
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> ---
>>>>> This SF.net email is sponsored by DB2 Express
>>>>> Download DB2 Express C - the FREE version of DB2 express and take
>>>>> control of your XML. No limits. Just data. Click to get it now.
>>>>> http://sourceforge.net/powerbar/db2/
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>
>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list