Snort mailing list archives

Snort and Unix-Socket

From: TSauter () gmx net
Date: Wed, 21 Nov 2001 19:58:34 +0100 (MET)

Hello Snort-Users,

first thanks for your wonderful snort product. Works fine and make my live
easier.

Watchguard has released a software to send messages or block adresses
directly with this software. But how can I get
the snort messages and call this program directly from snort.

One way I thinks is the posibility to send the alerts to syslog and then use
a tool like swatch to call the watchguard
software. But for this method I need a logfile on the snort machine witch
can blow up and need to be cleared from time
to time. The other way is using the unixsock output plugin and read the
socket with a little daemon and then call the
external program.

But after some tests and "googles" I think the plugin never send any data to
the socket. At the some time the alter will
be detected and send to the mysql-database and to the syslog. So, the
generated attack will be detected from snort, but doesn't
send to the socket.

<code-snipset>
        if((sockfd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
                fprintf(stderr, "Failed to call socket.");
                exit(EXIT_FAILURE);
        }

        adress.sun_family = AF_UNIX;
        strcpy(adress.sun_path, "/dev/snort_alert");
        adrlen = sizeof(adress.sun_family) + strlen(adress.sun_path);

        if(bind(sockfd, (struct sockaddr *) &adress, adrlen) == -1) {
                fprintf(stderr, "Unable to bind socket.");
                exit(EXIT_FAILURE);
        }

        if(listen(sockfd, 5) == -1) {
                fprintf(stderr, "Unable to listen on socket.");
                exit(EXIT_FAILURE);
        }

        while((connfd = accept(sockfd, (struct sockaddr *) &adress,
&adrlen)) >= 0) {
                int n, i;
                char buffer[MAXLEN];
                while((n = read(connfd, buffer, MAXLEN)) > 0) {
                        for(i=0; i<n-1; i++) {
                                printf("%c=%02x ", buffer[i], buffer[i]);
                        }
                        printf("\n");
                        fflush(stdout);
                }
        }
</code-snipset>

Environment: OpenBSD 2.9-current/ Snort-1.8.2/ MySQL

<snort.conf>
output alert_syslog: LOG_LOCAL7
output database: alert, mysql, user=XXX password=XXX dbname=snortdb
host=localhost
output alert_unixsock
</snort.conf>

Where is my mistake? Or is the plugin currently not working?
Or is there any other practicable way to call an external program?

Thanks a lot
Thorsten

p.s. sorry for this poor english :)


-- 
Thorsten Sauter
<tsauter () gmx net>

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and Unix-Socket TSauter (Nov 21)
- Re: Snort and Unix-Socket Fyodor (Nov 21)
  - Re: Snort and Unix-Socket Phil Wood (Nov 21)
    - Re: Snort and Unix-Socket Phil Wood (Nov 21)
  - Re: Snort and Unix-Socket Dirk Geschke (Nov 22)