[Snort-users] Process Snort alerts on real time

Nora Aron valeparatodo at ...11827...
Tue Feb 21 11:21:44 EST 2017

*"in that case, you could whip up something in perl that monitors the alert
file and sends your flash message when it detects what you've configured it
to react to... i have maintained an active response tool that effectively
tails the alert file and issues iptables/ipset rules based on activity...
you can do similar except instead of iptables/ipset stuff, do your text
messaging thing..."*

Yes, maybe I am not clear with my target due to language. I don't need any
text messaging thing. I just need to know when a new alert has been
triggered, so then I would extract all the packet to be analysed by another
module of my system.
I found ids-tools <http://idstools.readthedocs.io/en/latest/unified2.html>
by jasonish. Some of these scripts are also included in snort/tools, such
us u2spewfoo. In the library they have a SpoolEventReader script which is
something similar to what I need, since it is continuosuly reading logs. So
with that simple code:

reader = unified2.SpoolEventReader("/var/log/snort", "snort.u2")for
event in reader:

I have my current log being tailed.

So I just would have to get the event and run my program in spite of just
printing it. But I am trying to figure out the format of the packet that it
is providing to me. It is not hex nor binary.

Is that a common format?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170221/6bfdfe61/attachment.html>

More information about the Snort-users mailing list