Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Process Snort alerts on real time

From: Giles Coochey <giles () coochey net>
Date: Tue, 21 Feb 2017 16:38:03 +0000


On 21/02/17 16:21, Nora Aron wrote:
/"in that case, you could whip up something in perl that monitors the alert file and sends your flash message when it detects what you've configured it to react to... i have maintained an active response tool that effectively tails the alert file and issues iptables/ipset rules based on activity... you can do similar 
except instead of iptables/ipset stuff, do your text messaging thing..."/
Yes, maybe I am not clear with my target due to language. I don't need any text messaging thing. I just need to know when a new alert has been triggered, so then I would extract all the packet to be analysed by another module of my system. I found ids-tools <http://idstools.readthedocs.io/en/latest/unified2.html> by jasonish. Some of these scripts are also included in snort/tools, such us u2spewfoo. In the library they have a SpoolEventReader script which is something similar to what I need, since it is continuosuly reading logs. So with that simple code: 
reader  =  unified2.SpoolEventReader("/var/log/snort",  "snort.u2")
for  event  in  reader:
     print(event)
I have my current log being tailed.
So I just would have to get the event and run my program in spite of just printing it. But I am trying to figure out the format of the packet that it is providing to me. It is not hex nor binary. 
\x00!\xd7j\xe4\x00\xdcJ>\x88*R\x08\x00E\xc0\x00q\xf4\xf0\x00\x00@\x01;\x92\.....

Is that a common format?
Before you invest a lot of effort into coding, perhaps have a look at something like sguil: 

http://bammv.github.io/sguil/index.html

--
Regards,

Giles Coochey
+44 (0) 7584 634 135
+44 (0) 1803 529 451
giles () coochey net

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: