Re: Help with Snort and File::Tail

Or is there another method I am not thinking of?

Can't you start snort from within your perl script using a piped open, so you read the file before it is written to disk?

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

Comment on Re: Help with Snort and File::Tail

Replies are listed 'Best First'.
Re^2: Help with Snort and File::Tail by Anonymous Monk on Jun 22, 2011 at 12:46 UTC
I don't know off the top of my head how to do this since I just started Perl and I haven't looked at this specifically but I am certain you can. What do you mean though? I don't really care that the Snort log is in snort.log. I more care that I grab everything that is being written to it (lets say check every 20 seconds with File::Tail) and parse it with Perl, and output it somewhere else.	[reply]
Re^3: Help with Snort and File::Tail by ikegami (Patriarch) on Jun 23, 2011 at 07:18 UTC
He is suggesting that if snort were to be configured to send output its output to stdout, your script could act like a filter (like grep), so you wouldn't have to use File::Tail and the process would be more reliable. You'd still have to identify alerts, thought. — I'm not familiar with snort. This could be trivial or impossible.	[reply]