Snort mailing list archives
Re: Output Plugin writing
From: Jason Brvenik <jasonb () sourcefire com>
Date: Thu, 26 Apr 2007 20:20:41 -0400
I forgot to mention that you can use the ruby unified code that Caswell put out too. http://www.shmoo.com/~bmc/software/ruby/unified.html Jason Brvenik wrote:
best way is to use unified logging and barnyard or snortunified.pm to create the formats you need. -- from the road -----Original Message----- From: eschnei () CLEMSON EDU Date: Thu, 26 Apr 2007 16:09:00 To:"Joel Esler" <joel.esler () sourcefire com> Cc:snort-users () lists sourceforge net Subject: Re: [Snort-users] Output Plugin writing I have looked at the ruletypes, and that was what I was using at first. The only problem is I need to pull out data from the packet and format it for our own reporting system, that is pike delimited. Brian Have you ever looked at the custom output options? Search for the word "redalert" in your snort.conf. +---------------------------------------------------------------------+ Joel Esler Security Consultant gpg key: http://demo.sourcefire.com/jesler.pgp.key +---------------------------------------------------------------------+ On Apr 26, 2007, at 3:19 PM, eschnei () CLEMSON EDU wrote:Hi, I am a new snort user, I've been able to write some customized rules and look at different output options snort provides as a default. I want to have it only called when I hit my customized rules, and then based on the rule it hits and the attributes for the rule, I want the alert and packet data written to a specific file that isn't the alert file the other snort rules use. That being said, I am having trouble setting up the plugin, the different functions that need to be inside of it so snort can use it. Does anybody have a good template I might be able to use? Thanks for your help. Brian ---------------------------------------------------------------------- --- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Output Plugin writing eschnei (Apr 26)
- Re: Output Plugin writing Joel Esler (Apr 26)
- Re: Output Plugin writing eschnei (Apr 26)
- Message not available
- Re: Output Plugin writing Jason Brvenik (Apr 26)
- Re: Output Plugin writing eschnei (Apr 27)
- Re: Output Plugin writing Jason Brvenik (Apr 27)
- Re: Output Plugin writing eschnei (Apr 26)
- Re: Output Plugin writing Joel Esler (Apr 26)