Snort mailing list archives
Re: Newbie: Snort and external programs
From: Dragos Ruiu <dr () kyx net>
Date: Sat, 21 Jul 2001 03:38:15 -0700
This one should be a FAQ question.... Calling another program from within your main IDS loop is generally a bad idea. Having your IDS block while waiting for <something> of dubious reliability and origin nevermind timing while the packets are piling up is inviting packet loss. Especially with the already oh-so-consistent "Gee I think I'll go away for a minute" rock steady even cpu slicing Windows gives you (that's sarcasm, sorry). Go with the second approach.... You want to keep that IDS task humming and munching packets as efficiently as possible with as few interruptions as possible, imho, and not be invoking the penalty of process invocation.... particularly on Windows where process invocation is much much heavier task than *nix. Some fancier output stuff may become more possible when Marty finishes his barnyard modular output stuff.... Even in a secondary process... You'll probably find something that stays "awake" all the time will work out much more nicely than something that gets "woken up" on a per alert basis for the aforementioned reasons. cheers, --dr On Fri, 20 Jul 2001, Lars Norman Søndergaard wrote:
All, I am currently playing around with the Win32 port of Snort to get a feel for it. Also I am trying to figure out the admin stuff needed (consolidating logs, automating rule updates and so on). My question is: Is it possible to have snort call an external program when an alert is raised? I realize that I can simply track changes to the alert file and call the app whenever the file changes. Thanks, Lars Søndergaard _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listort-users
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie: Snort and external programs Lars Norman Søndergaard (Jul 20)
- Re: Newbie: Snort and external programs Dragos Ruiu (Jul 21)
- <Possible follow-ups>
- RE: Newbie: Snort and external programs Lars Norman Søndergaard (Jul 21)
- RE: Newbie: Snort and external programs Dragos Ruiu (Jul 23)