Re: execute script on event x

[Martin Holste <mcholste () gmail com>]

I'm not sure about Windows, but on Linux, one way to do it would be to
have snort or barnyard output as syslog, and use syslog-ng's program()
destination combined with a filter.  So, let's say you want to drop
all traffic which has a snort signature with BLACKLIST in it:

source src {
  unix-dgram("/dev/log");
};

filter f_snort {
  # match on a message like snort[1234]: [1:18353:2] BLACKLIST
USER-AGENT known malicious user-agent string...
  program("snort") and match('^\] BLACKLIST ');
};

destination d_block_script {
  program("/path/to/block/script");
};

log {
  source(src);
  filter(f_snort);
  destination(d_block_script);
};

Your script would receive the syslog message and need to parse it out
for the right IP to block.

There are lots of ways this could be done, but having syslog-ng take
care of it has the advantage that it is robust and it may already be
installed.  I myself have a more complicated script which reads the
raw unified file itself and takes appropriate actions, but it's a bit
more involved.  The above is about as simple as it gets and has the
fewest moving parts.

On Wed, Sep 14, 2011 at 2:16 AM, Tobias Dinse
<tobias.dinse () stegbauer info> wrote:
> Hi all,
>
> I have to configure Snort to block IPs on our Firewall over a telnet
> command if an attack was detected. This can be easly done with a
> shellscript - But how can I realize that with Snort? Maybe something
> like Snortsam which have no Support for our Firewall. My Snort runs
> under Windows 7. Is there any Solution? I can switch to Linux if it
> doesnt work with Windows. Windows is only one of the requirements of
> this Project but if there is an Linux Solution we can switch (I hope so :D).
>
> Thanks and regards
>
> Tobias
>
> ------------------------------------------------------------------------------
> BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
> Learn about the latest advances in developing for the
> BlackBerry&reg; mobile platform with sessions, labs & more.
> See new tools and technologies. Register for BlackBerry&reg; DevCon today!
> http://p.sf.net/sfu/rim-devcon-copy1
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!