Cyberprobe is a distributed software architecture for monitoring of networks against attack. It consists of two components: cyberprobe, which collects data packets and forwards them over a network in standard streaming protocols; and cybermon which decodes protocols, and invokes user-defined logic on the decoded data.
Cyberprobe can be integrated with snort so that the captured data corresponds with an attackers IP address as detected by snort.
Cybermon uses a LUA configuration file to describe what to do with the decoded information, providing great flexibility. Cybermon also supports a couple of packet injection techniques, allowing you to respond to attacks by resetting connections, or forging DNS responses.