Snort mailing list archives
RE: Newbie: Snort and external programs
From: Lars Norman Søndergaard <Lars.Sondergaard () intello dk>
Date: Sat, 21 Jul 2001 13:37:49 +0200
Dragos, Thanks for your response. Indeed this is mentioned in the faq (but as a response to why you shouldn't update firewall rules directly as a response to an alert). I fail to see why it is more efficient to watch (poll) a log file rather than simply calling an external program (or pass information via some sort of ipc mechanism). Perhaps I should log to Win2K eventlog and register a script to receive notification whenever an alert is raised and let the script take appropriate action. Lars PS: Being both an european and a Windows user I'm very used to sarcasm. -----Original Message----- From: Dragos Ruiu [mailto:dr () kyx net] Sent: 21. juli 2001 12:38 To: Lars Norman Søndergaard; snort-users () lists sourceforge net Subject: Re: [Snort-users] Newbie: Snort and external programs This one should be a FAQ question.... Calling another program from within your main IDS loop is generally a bad idea. Having your IDS block while waiting for <something> of dubious reliability and origin nevermind timing while the packets are piling up is inviting packet loss. Especially with the already oh-so-consistent "Gee I think I'll go away for a minute" rock steady even cpu slicing Windows gives you (that's sarcasm, sorry). Go with the second approach.... You want to keep that IDS task humming and munching packets as efficiently as possible with as few interruptions as possible, imho, and not be invoking the penalty of process invocation.... particularly on Windows where process invocation is much much heavier task than *nix. Some fancier output stuff may become more possible when Marty finishes his barnyard modular output stuff.... Even in a secondary process... You'll probably find something that stays "awake" all the time will work out much more nicely than something that gets "woken up" on a per alert basis for the aforementioned reasons. cheers, --dr On Fri, 20 Jul 2001, Lars Norman Søndergaard wrote:
All, I am currently playing around with the Win32 port of Snort to get a feel
for
it. Also I am trying to figure out the admin stuff needed (consolidating logs, automating rule updates and so on). My question is: Is it possible to have snort call an external program when an alert is raised? I realize that I can simply track changes to the alert file and call the
app
whenever the file changes. Thanks, Lars Søndergaard _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listzort-users
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie: Snort and external programs Lars Norman Søndergaard (Jul 20)
- Re: Newbie: Snort and external programs Dragos Ruiu (Jul 21)
- <Possible follow-ups>
- RE: Newbie: Snort and external programs Lars Norman Søndergaard (Jul 21)
- RE: Newbie: Snort and external programs Dragos Ruiu (Jul 23)