fivetenets at ...14399...
Thu Aug 30 22:28:53 EDT 2012
Would anyone have a quick example of a swatch config that would be able to look for a specific gid:sid and then launch an expect or Tcl script?
I'm now not looking for an email option from my snortbox but a mechanism for real time monitoring/active response.
For example let's say I configure a watchfor to look for the word Conficker
In a snort alert.
I don't want the virus to spread and notify tomorrow via snorby.
I would like given that specific alert to pass the source and/or destination to an expect script and run the script.
Also is it possible to get the source and destination values from var/log/messages or would I need a diff output from barnyard2?
I'm running snort 18.104.22.168 and search 3.2.3 on CentOS 6.3.
thanks again as always,
More information about the Snort-users