| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: 5.12 How can I Up: 5 Getting Fancy Previous: 5.10 How do I
5.11 Is it possible to have Snort call an external program when an alert is raised?
Calling another program from within your main IDS loop is
generally a bad idea. Having your IDS block while waiting
for 
something
of dubious reliability and origin nevermind
timing while the packets are piling up is inviting packet loss.
Especially with the already oh-so-consistent ``Gee I think
I'll go away for a minute'' rock steady even cpu slicing
Windows gives you (that's sarcasm, sorry). Go with the
second approach.... process invokation is expensive on
Windows.
You want to keep that IDS task humming and munching packets as efficiently as possible with as few interruptions as possible, imho, and not be invoking the penalty of process invocation.... particularly on Windows where process invocation is much much heavier task than *nix.
Even in a secondary process... You'll probably find something that stays ``awake'' all the time will work out much more nicely than something that gets ``woken up'' on a per alert basis for the aforementioned reasons.
As a better alternative go check out swatch or logwatch. Also for those new to UNIX, logging alerts to syslog and then using ``tail -f /var/log/messages'' might be what you are looking for.
Next: 5.12 How can I Up: 5 Getting Fancy Previous: 5.10 How do I
| Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |