[Snort-devel] Patch: exec option for starting programs triggered by rules

Hi all,

I had the need to run a program when snort matched a specific signature (I wanted to find out more about the attacker's host, e.g. by running nmap). I didn't find a function in snort, so I wrote a new detection plugin (analogous to react and respond). It uses a comma-separated list of option=value touples as syntax. I implemented the following options:

program=programname option option...
ratelimit=i
output=file

program denotes the command to be executed. Options will be passed to the program; the special options "#s" and "#d" are replaced with the source/ destination IP of the triggering packet. ratelimit limits the rule to be triggered at most i times per second. output redirects stdout and stderr of the forked process to the given file.

In my example, I used the following options:   exec:program=/usr/local/snort/nmap -sS -O #s,ratelimit=3,output=/var/log/snort/nmap.log

The plugin is enabled with the --enable-flexresp option in the configure script, just like react and respond.

Patch against today's snapshot is attached; hope you find it useful.

Stefan.

-- 
*--- please cut here... -------------------------------------- thanks! ---*


|-> E-Mail: stefan.schlott@informatik.uni-ulm.de    PGP-Key: 0x2F36F4FE <-|


| There are only 10 types of people in this world -- those that           |
| understand binary and those that don't.                                 |
*-------------------------------------------------------------------------*

------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-devel mailing list Snort-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek