Snort mailing list archives

Re: Have snort execute a command when matching a rule?

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 05 Mar 2003 15:58:40 -0500

Please read the fine FAQ:

http://www.snort.org/docs/faq.html#5.9


5.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--


Q: Is it possible to have snort call an external program when an alert is
   raised?

   Calling another program from within your main IDS loop is
   generally a bad idea.  Having your IDS block while waiting
   for <something> of dubious reliability and origin nevermind
   timing while the packets are piling up is inviting packet loss.
   Especially with the already oh-so-consistent "Gee I think
   I'll go away for a minute" rock steady even cpu slicing
   Windows gives you (that's sarcasm, sorry). Go  with the
   second approach.... process invokation is expensive on
   Windows.

   You want to keep that IDS task humming and munching
   packets as efficiently as possible with as few interruptions
   as possible, imho, and not be invoking the penalty of
   process invocation.... particularly on Windows where
   process invocation is much much heavier task than *nix.

   Even in a secondary process... You'll probably find
   something that stays "awake" all the time will work out
   much more nicely than something that gets "woken up"
   on a per alert basis for the aforementioned reasons.

   As a better alternative go check out swatch or logwatch.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--



At 08:01 PM 3/5/2003 +0000, Richard Compton wrote:

I want to have snort execute a script when it matches a rule.  Is there any
way to do this.  I briefly looked over the docs and didn't see this as an
option.   Do I just need to RTFM a bit closer?  If it doesn't have this
ability, why not?

Thanks,
Rich Compton




-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------

This SF.net email is sponsored by: Etnus, makers of TotalView, The debuggerfor complex code. Debugging C/C++ programs can leave you feeling lost anddisoriented. TotalView can help you find your way. Available on major UNIXand Linux platforms. Try it free. www.etnus.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Have snort execute a command when matching a rule? Richard Compton (Mar 05)
- RE: Have snort execute a command when matching a rule? Mike Koponick (Mar 05)
- Re: Have snort execute a command when matching a rule? Matt Kettler (Mar 05)