Snort mailing list archives
Re: output plugins... execute command?
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 05 Nov 2003 19:35:29 -0500
At 04:31 PM 11/5/2003, David R. wrote:
I'm sorry if this seems like such an obvious question, but is there an output plugin that will execute a shell command? I haven't found any evience of one so far. If not, why not? I would like to send SMS messages to my cell when an alert or attack comes up, but the way I see it now I would have to use a third-party program to monitor the snort alert file... Doesn't it seem more logical to be able to issue these alerts direction from snort itself?
No, it doesn't have that output plugin because it's a security hole.Command execution is INSANELY slow by comparison to the speed at which snort needs to operate.. this would cause snort to drop a very large numbers of packets, opening the door for someone to attack your network without being noticed while snort spent time executing a process.
This is really the domain of logwatching tools like logwatch, swatch, etc.. read the FAQ about getting snort to send you email.
The only disadvantage of a log watcher is that it might take it a few hundred milliseconds to start responding.. but in the case of an email, or sms message, that overhead isn't noticeable. It will take at least twice as long just for the message to send.
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- output plugins... execute command? David R. (Nov 05)
- Re: output plugins... execute command? Matt Kettler (Nov 05)