Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Homebrew Snort Reactive/Unified2 output

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 31 Mar 2011 09:31:39 -0400
On Wed, Mar 30, 2011 at 4:58 PM, Korodev <korodev () gmail com> wrote:

Hey guys,

I'm trying to implement a proof-of-concept system that will "react"
based on snort alerts. In short, once Snort detects an alert, I have a
C lines that I would like executed as *quickly* as possible. There
seem to be several points of insertion for this. First, would be
modifying the unified2 output plugin to do some custom work as well as
maintain normal unified2 output. Second, would be to modify a BY2
output plugin (this seems to be what the Snort team suggests), but
given that speed is a factor, picking it up right out of Snort is
ideal. Does homebrew take a time-based polling approach to unified2
files? I quickly browsed through the source and saw no indication
otherwise.

I suppose the last option would be to write my own unified2 parser,
but I really don't have that much time on my hands. As I understand
it, the best/only documentation of the unified2 output format is the
snort source code..is that correct?

Suggestions?


At the risk of getting into a pilosophical discussion...

The absolute fastest place to fire a response post-detection would be
an output plugin.  There's no need to hook the U2 output plugin or
write an output module for BY2, depending on a number of factors
you're not going to get the absolute fastest activation time for your
code from the point of detection.

If I was going to do it (and I thought that triggering responses
automatically based on raw IPS output was a good idea, it generally
isn't) I'd be writing an output plugin for Snort.  As Martin
mentioned, starting off by looking at the syslog output plugin would
be a good place to get started.


Marty



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: