[Snort-users] Process Snort alerts on real time

Marcin Dulak marcin.dulak at ...11827...
Tue Feb 21 14:03:04 EST 2017


On Tue, Feb 21, 2017 at 5:21 PM, Nora Aron <valeparatodo at ...11827...> wrote:

>
>
>
>
> *"in that case, you could whip up something in perl that monitors the
> alert file and sends your flash message when it detects what you've
> configured it to react to... i have maintained an active response tool that
> effectively tails the alert file and issues iptables/ipset rules based on
> activity... you can do similar except instead of iptables/ipset stuff, do
> your text messaging thing..."*
>
> Yes, maybe I am not clear with my target due to language. I don't need any
> text messaging thing. I just need to know when a new alert has been
> triggered, so then I would extract all the packet to be analysed by another
> module of my system.
> I found ids-tools <http://idstools.readthedocs.io/en/latest/unified2.html>
> by jasonish. Some of these scripts are also included in snort/tools, such
> us u2spewfoo. In the library they have a SpoolEventReader script which is
> something similar to what I need, since it is continuosuly reading logs. So
> with that simple code:
>
> reader = unified2.SpoolEventReader("/var/log/snort", "snort.u2")for event in reader:
>     print(event)
>
> I have my current log being tailed.
>
> So I just would have to get the event and run my program in spite of just
> printing it. But I am trying to figure out the format of the packet that it
> is providing to me. It is not hex nor binary.
> \x00!\xd7j\xe4\x00\xdcJ>\x88*R\x08\x00E\xc0\x00q\xf4\xf0\x00\x00@
> \x01;\x92\.....
>
> Is that a common format?
>

http://seclists.org/snort/2017/q1/11


>
> Thanks
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170221/53a2def6/attachment.html>


More information about the Snort-users mailing list