Re: Snort Event Types

[James Lay <jlay () slave-tothe-box net>]

On 2014-03-27 07:46, Dave Corsello wrote:
> Configure Snort with an additional output statement to send alerts to 
> an
> alert_fast file.  Your script can monitor that file and act on 
> certain
> alerts.
>
> On 3/27/2014 9:13 AM, Turnbough, Bradley E. wrote:
> > Is it possible to generate an alert (logged to a unified file) AND 
> > also fire a script to do something on the OS of the sensor itself?
> >
> > I have snort installed and operating properly.  Snort 2.9.5.5.  
> > Snort currently outputs to unified2.
> >
> > "output unified2: filename snort.u2, limit 128"
> >
> > Barnyard2 (2.1.9) picks up the .u2 file and processes it.
> >
> > Barnyard2 config:
> > output alert_fast: stdout
> > output database: alert, mysql, user=snort dbname=snorby 
> > password=blah host=ipaddresshere
> >
> > I want to kick off a shell script file to do some things within the 
> > sensor when the alert is first generated.  Is this possible?
> >
> > I'm running daemonlogger to generate pcap files, and want to be able 
> > to archive the pcap files when certain traffic triggers an alert.
> >
> > Thanks,
> >
> > Brad

Apps like wots and SEC work great for monitoring syslog or snort fast 
alert files.

James

http://www.e-dynamics.be/?section=programs
http://simple-evcorr.sourceforge.net

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!