Snort mailing list archives
Re: execute external program
From: Simon Biles <simon.biles () gmail com>
Date: Thu, 13 Oct 2005 01:53:38 -0700
Hi, Use alert_unixsock and alert to a socket, then write a small program to listen to the socket, and run whatever application that you choose upon reciept of the trigger. Below is a quick bit of Perl to listen to a socket ... #!/usr/bin/perl # Include the socket libraries use IO::Socket; # This is the template to capture the Alert Name # Edit this to get the additional packets. $TEMPLATE = "A256 A*"; # Release the socket if it already exists unlink "/var/log/snort/snort_alert"; # In case of user termination - exit gracefully. $SIG{TERM} = $SIG{INT} = sub { exit 0 }; # Open up the socket. my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM, Local => "/var/log/snort/snort_alert") or die "Socket: $@"; print STDOUT "Socket Open ... \n"; # Loop receiving data from the socket, pulling out the # alert name and printing it. my $data; while ( true ) { recv($client,$data,1024,0); @FIELDS = unpack($TEMPLATE, $data); # Insert your code here to do whatever .... print "@FIELDS[0] \n"; } # At termination close up the socket again. END {unlink "/var/log/snort/snort_alert";} Have fun, Cheers, Si On 10/12/05, Matt Kettler <mkettler () evi-inc com> wrote:
Gaston Martres wrote:Hi. I was wondering if is possible to execute an external program when a event or alert in snort is triggered. I was looking on google, but, or I have searched in a wrong way or this is not possible.It is not possible. See the FAQ on getting snort to email you. Executing a process directly from snort is so expensive it would bog snort down and cause it to miss a very substantial number of packets. In general a better way is to use swatch or logsurfer to monitor the snort logs and trigger processes. This is a little less "real-time", but it should happen within a hundred milliseconds or so. http://www.snort.org/docs/faq/1Q05/node94.html ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Simon Biles CISSP, OPSA, BS7799 Lead Auditor, MBCS ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- execute external program Gaston Martres (Oct 12)
- Re: execute external program Justin Heath (Oct 12)
- Re: execute external program Jeff Kell (Oct 12)
- Re: execute external program Murali Raju (Oct 12)
- Re: execute external program Matt Kettler (Oct 12)
- Re: execute external program Simon Biles (Oct 13)
- Re: Re: execute external program Sam Evans (Oct 13)
- Re: execute external program Simon Biles (Oct 13)
- Re: execute external program Gaston Martres (Oct 13)