[Snort-users] Process Snort alerts on real time

Giles Coochey giles at ...9346...
Tue Feb 21 11:38:03 EST 2017



On 21/02/17 16:21, Nora Aron wrote:
> /"in that case, you could whip up something in perl that monitors the 
> alert file
> and sends your flash message when it detects what you've configured it 
> to react
> to... i have maintained an active response tool that effectively tails 
> the alert
> file and issues iptables/ipset rules based on activity... you can do 
> similar
> except instead of iptables/ipset stuff, do your text messaging thing..."/
>
> Yes, maybe I am not clear with my target due to language. I don't need 
> any text messaging thing. I just need to know when a new alert has 
> been triggered, so then I would extract all the packet to be analysed 
> by another module of my system.
> I found ids-tools 
> <http://idstools.readthedocs.io/en/latest/unified2.html> by jasonish. 
> Some of these scripts are also included in snort/tools, such us 
> u2spewfoo. In the library they have a SpoolEventReader script which is 
> something similar to what I need, since it is continuosuly reading 
> logs. So with that simple code:
> reader  =  unified2.SpoolEventReader("/var/log/snort",  "snort.u2")
> for  event  in  reader:
>      print(event)
> I have my current log being tailed.
> So I just would have to get the event and run my program in spite of 
> just printing it. But I am trying to figure out the format of the 
> packet that it is providing to me. It is not hex nor binary.
> \x00!\xd7j\xe4\x00\xdcJ>\x88*R\x08\x00E\xc0\x00q\xf4\xf0\x00\x00@\x01;\x92\.....
>
> Is that a common format?
>
>
Before you invest a lot of effort into coding, perhaps have a look at 
something like sguil:

http://bammv.github.io/sguil/index.html

-- 
Regards,

Giles Coochey
+44 (0) 7584 634 135
+44 (0) 1803 529 451
giles at ...9346...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170221/2ee913f1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3819 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170221/2ee913f1/attachment.bin>


More information about the Snort-users mailing list