Pigear is meant to provide interface for Snort(NIDS)'s unix socket. You can use Pigear to listen on snort's socket and then handle alert's appropriately. Default implementation only turns binary data from socket into AlertMessage structure which refers to snort's C structure.
With IPython installed you can use Pigear for real-time examination of alerts.
Example:
$ sudo python -m pigear --data-handler pigear.contrib.IPythonDataHandler
##################################################################################
IPython data handler initialized.
On Snort's alert, IPython shell is spawned for you.
Alert is present as ``msg`` variable in current scope.
##################################################################################
Python 2.7.3 (default, Apr 20 2012, 22:44:07)
Type "copyright", "credits" or "license" for more information.
IPython 0.12.1 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
In [1]: msg.
msg.caplen msg.count msg.msg
msg.classification msg.data msg.nethdr
msg.dlthdr msg.event_reference msg.priority
msg.event_id msg.index msg.sig_generator
msg.pkt msg.transhdr msg.ts_usec
msg.pktlen msg.ts_sec msg.tv_sec
msg.sig_id msg.tv_usec
msg.sig_rev msg.val
In [1]: msg.priority
Out[1]: 2
In [2]: print(msg.msg)
VOIP-SIP-UDP From header unquoted tokens in field attemptOr if you want to send alerts as json to remote http server there's HttpSendHandler class, you'll nedd requests for this:
$ sudo python -m pigear --debug --data-handler pigear.contrib.HttpSendHandler url=http://httpbin.org/postClone this repo and run:
$ python setup.py installOr use pip:
$ pip install -e git://github.com/beezz/pigear.git#egg=pigearModule script usage:
$ python -m pigear --help
usage: __main__.py [-h] [--logdir LOGDIR] [--data-handler DATA_HANDLER]
[--socket-handler SOCKET_HANDLER] [--serve-forever]
[--debug]
...
Open socket for Snort and wait for some alerts.
positional arguments:
kwargs Keyword arguments for socket handler, which can pass
them to data handler. In form `key=value
another_key=next_value`
optional arguments:
-h, --help show this help message and exit
--logdir LOGDIR Full path to Snort's logdir. Socket is created in this
directory as `snort_alert`, (Make sure that Snort will
have sufficient privileges to write to this location)
--data-handler DATA_HANDLER
Python dotted path to data handler class.
`pigear.core.DataHandler` is used by default.
--socket-handler SOCKET_HANDLER
Python dotted path to socket handler class.
`pigear.core.SocketHandler` is used by default.
--serve-forever With this option default implementation log exception
and goes for another alert.Without this option
exceptions are reraised
--debug set `logging.DEBUG` level, otherwise `logging.ERROR`