[Snort-users] Process Snort alerts on real time

Nora Aron valeparatodo at ...11827...
Tue Feb 21 11:21:44 EST 2017


*"in that case, you could whip up something in perl that monitors the alert
file and sends your flash message when it detects what you've configured it
to react to... i have maintained an active response tool that effectively
tails the alert file and issues iptables/ipset rules based on activity...
you can do similar except instead of iptables/ipset stuff, do your text
messaging thing..."*

Yes, maybe I am not clear with my target due to language. I don't need any
text messaging thing. I just need to know when a new alert has been
triggered, so then I would extract all the packet to be analysed by another
module of my system.
I found ids-tools <http://idstools.readthedocs.io/en/latest/unified2.html>
by jasonish. Some of these scripts are also included in snort/tools, such
us u2spewfoo. In the library they have a SpoolEventReader script which is
something similar to what I need, since it is continuosuly reading logs. So
with that simple code:

reader = unified2.SpoolEventReader("/var/log/snort", "snort.u2")for
event in reader:
    print(event)

I have my current log being tailed.

So I just would have to get the event and run my program in spite of just
printing it. But I am trying to figure out the format of the packet that it
is providing to me. It is not hex nor binary.
\x00!\xd7j\xe4\x00\xdcJ>\x88*R\x08\x00E\xc0\x00q\xf4\xf0\x00\x00@
\x01;\x92\.....

Is that a common format?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170221/6bfdfe61/attachment.html>


More information about the Snort-users mailing list