Snort mailing list archives

Re: Newbie: Snort and external programs

From: Dragos Ruiu <dr () kyx net>
Date: Sat, 21 Jul 2001 03:38:15 -0700


This one should be a FAQ question....

Calling another program from within your main IDS loop is
generally a bad idea.  Having your IDS block while waiting
for <something> of dubious reliability and origin nevermind
timing while the packets are piling up is inviting packet loss.  
Especially with the already oh-so-consistent "Gee I think 
I'll go away for a minute" rock steady even cpu slicing 
Windows gives you (that's sarcasm, sorry). Go  with the 
second approach....

You want to keep that IDS task humming and munching
packets as efficiently as possible with as few interruptions
as possible, imho, and not be invoking the penalty of 
process invocation.... particularly on Windows where 
process invocation is much much heavier task than *nix.
Some fancier output stuff may become more possible 
when Marty finishes his barnyard modular output stuff....

Even in a secondary process... You'll probably find 
something that stays "awake" all the time will work out
much more nicely than something that gets "woken up"
on a per alert basis for the aforementioned reasons.

cheers,
--dr


On Fri, 20 Jul 2001, Lars Norman Søndergaard wrote:

All,

I am currently playing around with the Win32 port of Snort to get a feel for
it. Also I am trying to figure out the admin stuff needed (consolidating
logs, automating rule updates and so on).

My question is: Is it possible to have snort call an external program when
an alert is raised?

I realize that I can simply track changes to the alert file and call the app
whenever the file changes.

Thanks,
Lars Søndergaard

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listort-users

-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Newbie: Snort and external programs Lars Norman Søndergaard (Jul 20)
- Re: Newbie: Snort and external programs Dragos Ruiu (Jul 21)
- <Possible follow-ups>
- RE: Newbie: Snort and external programs Lars Norman Søndergaard (Jul 21)
  - RE: Newbie: Snort and external programs Dragos Ruiu (Jul 23)