Snort mailing list archives
Re: Can Snort notify a user program when it finishes processing a packet?
From: Russ <rucombs () cisco com>
Date: Wed, 26 Oct 2016 04:33:26 -0400
Did you trying adding a rule that will trigger on each packet?
alert ip any any -> any any ( sid:1; msg:"packet"; )
Depending on what you are trying to do, you could also use the abcip DAQ
and just give it input when you are ready.
It the existing Snort I/O isn't suitable, we can pick it up on devel ... for Snort++. :)
On 10/25/16 3:47 PM, Chang Liu wrote:
Dear all,Thanks for your reply. I understand that Snort can standalone examine packets, but my intent is to interact with Snort from my program, and based on the decision made by Snort, other follow-up steps will be taken afterwards in my program. I will try posting this question in snort-dev.Thanks ChangOn Tue, Oct 25, 2016 at 8:55 AM, Jim Campbell <jim () w4bqp net <mailto:jim () w4bqp net>> wrote:Chang, If the primary thrust of your effort is to use your program to accomplish something, then the answer he gave you is correct. If the intent is to set up a system that will examine each packet coming in to your network then Snort is capable of doing that by itself. Snort can be configured as an Intrusion Detection System (IDS) in which it simply reports on packets failing some criteria. An IDS doesn't drop packets. Snort can also be configured as an Intrusion Prevention System (IPS) in which it drops any packet failing that criteria. A Snort IPS is a system with two LAN cards. One LAN card sits on the input to the system and the other on the output. A packet entering the system on one LAN card that passes the criteria is sent to the output LAN card. A packet failing that criteria goes no further. Note: An IPS is bi-directional. I have as many packets failing on the outgoing stream as I do on the incoming. If there is something in your system trying to send bad stuff out that is caught as well. I hope this helps, Jim Campbell On 10/25/2016 5:32 AM, Chang Liu wrote:Dear all, I thought I state my question clearly. Let me try again. I have a program that will send one packet to Snort at a time. The logic is simple. It waits for Snort to finish processing the packet and get back the decision Snort made on this packet (whether it triggers an alert). My question is how can my program knows that Snort has finished processing the packet it just sent? I have tried two methods: a) start a Snort instance every time it sends a packet. However, the overhead of loading Snort is too long. b) Let Snort sniffing on an interface and send packets to this interface. But how do we know if Snort has finished processing the single packet it just received? Any suggestion is appreciated. Thanks. Chang On Tue, Oct 25, 2016 at 2:19 AM, <wkitty42 () windstream net <mailto:wkitty42 () windstream net>> wrote: On 10/25/2016 01:54 AM, Chang Liu wrote: > Any suggestion to solve this problem? Is it possible to get notification from > Snort every time it finishes processing a packet? the simple answers?? no and no... not the way you are trying... you second given option of monitoring the alert file is about the only thing you have... what, exactly, are you trying to do with your program?? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET <http://ASP.NET> CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET andASP.NET <http://ASP.NET> CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visithttp://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET <http://ASP.NET> CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visit http://blog.snort.org to stay current on all thelatest Snort news!------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can Snort notify a user program when it finishes processing a packet? Chang Liu (Oct 24)
- Re: Can Snort notify a user program when it finishes processing a packet? wkitty42 (Oct 25)
- Re: Can Snort notify a user program when it finishes processing a packet? Chang Liu (Oct 25)
- Re: Can Snort notify a user program when it finishes processing a packet? Joel Esler (jesler) (Oct 25)
- Re: Can Snort notify a user program when it finishes processing a packet? Jim Campbell (Oct 25)
- Re: Can Snort notify a user program when it finishes processing a packet? Chang Liu (Oct 25)
- Re: Can Snort notify a user program when it finishes processing a packet? Russ (Oct 26)
- Re: Can Snort notify a user program when it finishes processing a packet? Chang Liu (Oct 25)
- Re: Can Snort notify a user program when it finishes processing a packet? wkitty42 (Oct 25)
- <Possible follow-ups>
- Can Snort notify a user program when it finishes processing a packet? Chang Liu (Oct 25)