[Snort-users] Process Snort alerts on real time

wkitty42 at ...14940... wkitty42 at ...14940...
Tue Feb 21 07:54:27 EST 2017


On 02/21/2017 04:56 AM, Ana Serrano Mamolar wrote:
> Hi, and thanks for your response.
>
> I am already using Barnyard, but it doesn't fit with me since I have to request
> for alerts but I am not notified instantaneously when an alert is triggered.
> Also I need the entire payload of the packet, and barnyard don't provide all I need.

AFAIK, barnyard2 only provides transportation of the alerts into the database... 
nothing else... you have to use other tools to analyze the database and those 
tools will perform your alerts...

> Maybe I haven't been clear with my first message, but what I need is something
> that notify me of a new alert in real time, in the same moment that it has been
> triggered.

in that case, you could whip up something in perl that monitors the alert file 
and sends your flash message when it detects what you've configured it to react 
to... i have maintained an active response tool that effectively tails the alert 
file and issues iptables/ipset rules based on activity... you can do similar 
except instead of iptables/ipset stuff, do your text messaging thing...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list