[Snort-users] Process Snort alerts on real time
valeparatodo at ...11827...
Tue Feb 21 11:21:44 EST 2017
*"in that case, you could whip up something in perl that monitors the alert
file and sends your flash message when it detects what you've configured it
to react to... i have maintained an active response tool that effectively
tails the alert file and issues iptables/ipset rules based on activity...
you can do similar except instead of iptables/ipset stuff, do your text
Yes, maybe I am not clear with my target due to language. I don't need any
text messaging thing. I just need to know when a new alert has been
triggered, so then I would extract all the packet to be analysed by another
module of my system.
I found ids-tools <http://idstools.readthedocs.io/en/latest/unified2.html>
by jasonish. Some of these scripts are also included in snort/tools, such
us u2spewfoo. In the library they have a SpoolEventReader script which is
something similar to what I need, since it is continuosuly reading logs. So
with that simple code:
reader = unified2.SpoolEventReader("/var/log/snort", "snort.u2")for
event in reader:
I have my current log being tailed.
So I just would have to get the event and run my program in spite of just
printing it. But I am trying to figure out the format of the packet that it
is providing to me. It is not hex nor binary.
Is that a common format?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users