Snort mailing list archives
Re: execute script on event x
From: Martin Holste <mcholste () gmail com>
Date: Wed, 14 Sep 2011 15:57:02 -0500
I'm not sure about Windows, but on Linux, one way to do it would be to have snort or barnyard output as syslog, and use syslog-ng's program() destination combined with a filter. So, let's say you want to drop all traffic which has a snort signature with BLACKLIST in it: source src { unix-dgram("/dev/log"); }; filter f_snort { # match on a message like snort[1234]: [1:18353:2] BLACKLIST USER-AGENT known malicious user-agent string... program("snort") and match('^\] BLACKLIST '); }; destination d_block_script { program("/path/to/block/script"); }; log { source(src); filter(f_snort); destination(d_block_script); }; Your script would receive the syslog message and need to parse it out for the right IP to block. There are lots of ways this could be done, but having syslog-ng take care of it has the advantage that it is robust and it may already be installed. I myself have a more complicated script which reads the raw unified file itself and takes appropriate actions, but it's a bit more involved. The above is about as simple as it gets and has the fewest moving parts. On Wed, Sep 14, 2011 at 2:16 AM, Tobias Dinse <tobias.dinse () stegbauer info> wrote:
Hi all, I have to configure Snort to block IPs on our Firewall over a telnet command if an attack was detected. This can be easly done with a shellscript - But how can I realize that with Snort? Maybe something like Snortsam which have no Support for our Firewall. My Snort runs under Windows 7. Is there any Solution? I can switch to Linux if it doesnt work with Windows. Windows is only one of the requirements of this Project but if there is an Linux Solution we can switch (I hope so :D). Thanks and regards Tobias ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- execute script on event x Tobias Dinse (Sep 14)
- Re: execute script on event x Martin Holste (Sep 14)