Snort mailing list archives

Re: Run an external program

From: Erek Adams <erek () snort org>
Date: Wed, 5 Mar 2003 09:39:50 -0500 (EST)

On Tue, 4 Mar 2003 Gregory.Kane () hood-ctsfmail army mil wrote:

I am looking at using Snort as a development base IDS system on Windows
2000. I have looked at IDSCenter and have used it but the program is much
to complicated for ordinary users - at least the ones I have. One feature
of the IDSCenter which is excellent is the ability to run and external
program for alerts. My question is whether there is something that can be
used along the command line to accomplish the same thing? We have been
toying with the idea of using some module to execute an external program
and putting it in the code, but that does have some drawbacks. Anyone have
any thoughts?


In all honesty, this is a Bad Thing(tm).  IMHO, you should _never_ have
your IDS do anything by sniff.  One hung process could comprise the
security of your entire net.

Snort does not and probably 'will not' have that ability.  If you _really_
want that, I'd honestly suggest moving to a *NIX platform and alerting to
a socket.  Write a daemon to sit on the other end and act accordingly.
I'm not sure if Win32 could do something such as that.  You might be able
to get a Win32 version of swatch (or run under cygwin) for the activation
or running of other processes.

If you really, really want to write something...  You might want to do it
as an output plugin.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Run an external program Gregory . Kane (Mar 05)
- Re: Run an external program Erek Adams (Mar 05)
  - Re: Run an external program Bennett Todd (Mar 05)
    - Re: Run an external program Jack Whitsitt (jofny) (Mar 05)
    - Re: Run an external program Bennett Todd (Mar 05)
    - Re: Run an external program Jack Whitsitt (jofny) (Mar 05)
    - Re: Run an external program Erek Adams (Mar 05)
    - Re: Run an external program Bennett Todd (Mar 05)
    - Re: Run an external program Erek Adams (Mar 05)
    - Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)