Re: Homebrew Snort Reactive/Unified2 output

[Russ Combs <rcombs () sourcefire com>]

On Wed, Mar 30, 2011 at 5:16 PM, Jefferson, Shawn <
Shawn.Jefferson () bcferries com> wrote:

> It sounds like a so_rule/dynamic rule plugin is what you want... (??)
>
> -----Original Message-----
> From: Korodev [mailto:korodev () gmail com]
> Sent: Wednesday, March 30, 2011 1:58 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Homebrew Snort Reactive/Unified2 output
>
> Hey guys,
>
> I'm trying to implement a proof-of-concept system that will "react"
> based on snort alerts. In short, once Snort detects an alert, I have a C
> lines that I would like executed as *quickly* as possible. There seem to be
> several points of insertion for this. First, would be modifying the unified2
> output plugin to do some custom work as well as maintain normal unified2
> output. Second, would be to modify a BY2 output plugin (this seems to be
> what the Snort team suggests), but given that speed is a factor, picking it
> up right out of Snort is ideal. Does homebrew take a time-based polling
> approach to unified2 files? I quickly browsed through the source and saw no
> indication otherwise.
>
> I suppose the last option would be to write my own unified2 parser, but I
> really don't have that much time on my hands. As I understand it, the
> best/only documentation of the unified2 output format is the snort source
> code..is that correct?

u2spewfoo dumps u2 files, so that might help you figure them out.

> Suggestions?
>
> \\korodev
>
>
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix Use the most popular FREE web
> apps or write code yourself; WebMatrix provides all the features you need to
> develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix
> Use the most popular FREE web apps or write code yourself;
> WebMatrix provides all the features you need to develop and
> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users