Re: execute external program

[Simon Biles <simon.biles () gmail com>]

Hi,

Use alert_unixsock and alert to a socket, then write a small program
to listen to the socket, and run whatever application that you choose
upon reciept of the trigger.

Below is a quick bit of Perl to listen to a socket ...

#!/usr/bin/perl

# Include the socket libraries

use IO::Socket;

# This is the template to capture the Alert Name
# Edit this to get the additional packets.

$TEMPLATE = "A256 A*";

# Release the socket if it already exists

unlink "/var/log/snort/snort_alert";

# In case of user termination - exit gracefully.

$SIG{TERM} = $SIG{INT} = sub { exit 0 };

# Open up the socket.
my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,
                   Local => "/var/log/snort/snort_alert")
  or die "Socket: $@";

print STDOUT "Socket Open ... \n";

# Loop receiving data from the socket, pulling out the
# alert name and printing it.

my $data;

while ( true ) {
    recv($client,$data,1024,0);
    @FIELDS = unpack($TEMPLATE, $data);

# Insert your code here to do whatever ....

    print "@FIELDS[0] \n";

}

# At termination close up the socket again.

END {unlink "/var/log/snort/snort_alert";}

Have fun,

Cheers,

Si

On 10/12/05, Matt Kettler <mkettler () evi-inc com> wrote:
> Gaston Martres wrote:
> > Hi.
> >
> > I was wondering if is possible to execute an external program when a
> > event or alert in snort is triggered.
> >
> > I was looking on google, but, or I have searched in a wrong way or this
> > is not possible.
>
> It is not possible. See the FAQ on getting snort to email you.
>
> Executing a process directly from snort is so expensive it would bog snort
> down
> and cause it to miss a very substantial number of packets.
>
>
> In general a better way is to use swatch or logsurfer to monitor the snort
> logs
> and trigger processes. This is a little less "real-time", but it should
> happen
> within a hundred milliseconds or so.
>
> http://www.snort.org/docs/faq/1Q05/node94.html
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Simon Biles
CISSP, OPSA, BS7799 Lead Auditor, MBCS


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users