Re: run a user+defined program

[Bennett Todd <bet () rahul net>]

2003-07-25T04:33:24 Taylan han:
> is it possilbe tu run a user defined commad if an alert has been
> received from snort? how? would you please help me on this..

Easy. Use something like swatch or sec to tail the logfile, and
trigger execution of the command. Decouple such from the snort
process --- and as your load goes up, be prepared to move the
log+tailer+external-cmd to a completely separate machine. Syslog is
an easy way to do this.

Snort doesn't have provisions to directly execute a program on
alert, and doesn't want such a feature --- it would destroy the
performance.

-Bennett

Attachment: _bin
Description: