[Snort-users] Swatch

Nicholas Horton fivetenets at ...14399...
Thu Aug 30 22:28:53 EDT 2012


Would anyone have a quick example of a swatch config that would be able to look for a specific gid:sid and then launch an expect or Tcl script?

I'm now not looking for an email option from my snortbox but a mechanism for real time monitoring/active response.

For example let's say I configure a watchfor to look for the word Conficker
In a snort alert. 

I don't want the virus to spread and notify tomorrow via snorby.

I would like given that specific alert to pass the source and/or destination to an expect script and run the script.

Also is it possible to get the source and destination values from var/log/messages or would I need a diff output from barnyard2?

I'm running snort 2.9.2.3 and search 3.2.3 on CentOS 6.3.

thanks again as always,
Nick




More information about the Snort-users mailing list