Snort mailing list archives

Re: Homebrew Snort Reactive/Unified2 output

From: Martin Holste <mcholste () gmail com>
Date: Wed, 30 Mar 2011 17:42:19 -0500

You want to look at Jason's SnortUnified Perl modules:
http://code.google.com/p/snort-unified-perl/ .  At the very least,
most of the constants and byte conversions are well documented there.

Why is speed a factor?  Are you trying to issue RST packets or issue
firewall blocks/ACL rules?  If you want to kill an active connection,
I don't think anything reading Snort's output will be reliably fast
enough unless the connection is a rather large file download.  If
you're not trying to kill the connection, then a few milliseconds
difference between having a script do the reading and having something
more built-in do the reading won't matter, and you should go with the
ease-of-use of the script.

On Wed, Mar 30, 2011 at 4:55 PM, Korodev <korodev () gmail com> wrote:

u2spewfoo dumps u2 files, so that might help you figure them out.


Hadn't seen that...I'll check it out.

Thanks,

\\korodev

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Homebrew Snort Reactive/Unified2 output Korodev (Mar 30)
- Re: Homebrew Snort Reactive/Unified2 output Jefferson, Shawn (Mar 30)
  - Re: Homebrew Snort Reactive/Unified2 output Russ Combs (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output Korodev (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output Martin Holste (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output Korodev (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output beenph (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output Martin Holste (Mar 31)
    - Re: Homebrew Snort Reactive/Unified2 output waldo kitty (Mar 30)
  - Re: Homebrew Snort Reactive/Unified2 output Jefferson, Shawn (Mar 30)
- Re: Homebrew Snort Reactive/Unified2 output Martin Roesch (Mar 31)
  - Re: Homebrew Snort Reactive/Unified2 output Korodev (Mar 31)
    - Re: Homebrew Snort Reactive/Unified2 output Martin Roesch (Mar 31)