Snort mailing list archives

Re: Homebrew Snort Reactive/Unified2 output

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 31 Mar 2011 10:17:44 -0400

On Thu, Mar 31, 2011 at 10:11 AM, Korodev <korodev () gmail com> wrote:

At the risk of getting into a pilosophical discussion...

The absolute fastest place to fire a response post-detection would be
an output plugin.  There's no need to hook the U2 output plugin or
write an output module for BY2, depending on a number of factors
you're not going to get the absolute fastest activation time for your
code from the point of detection.


That seems to be the general consensus. To avoid the philosophical
discussion, I'm not only interested in IPS style responses, but simply
interested in getting a 'heartbeat' signal as soon as an alert has
tripped. My only reason for implying hooking the U2 output plugin, was
my desire to preserve U2 output for later processing. I feel like I'm
being directed away from that, but not sure why (?) I haven't played
with Snort's output plugins in the past, so this will be a beneficial
exercise.


That's cool.  You can have multiple output plugins active at the same
time so it's not necessary to do anything to the U2 plugin, you can
just run it alongside whatever plugin you write (via the snort.conf
file) and they'll be called sequentially.


Marty

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Homebrew Snort Reactive/Unified2 output, (continued)
- - Re: Homebrew Snort Reactive/Unified2 output Russ Combs (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output Korodev (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output Martin Holste (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output Korodev (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output beenph (Mar 30)
    - Re: Homebrew Snort Reactive/Unified2 output Martin Holste (Mar 31)
    - Re: Homebrew Snort Reactive/Unified2 output waldo kitty (Mar 30)
  - Re: Homebrew Snort Reactive/Unified2 output Jefferson, Shawn (Mar 30)
- Re: Homebrew Snort Reactive/Unified2 output Martin Roesch (Mar 31)
  - Re: Homebrew Snort Reactive/Unified2 output Korodev (Mar 31)
    - Re: Homebrew Snort Reactive/Unified2 output Martin Roesch (Mar 31)