Snort mailing list archives
Snort and Unix-Socket
From: TSauter () gmx net
Date: Wed, 21 Nov 2001 19:58:34 +0100 (MET)
Hello Snort-Users, first thanks for your wonderful snort product. Works fine and make my live easier. Watchguard has released a software to send messages or block adresses directly with this software. But how can I get the snort messages and call this program directly from snort. One way I thinks is the posibility to send the alerts to syslog and then use a tool like swatch to call the watchguard software. But for this method I need a logfile on the snort machine witch can blow up and need to be cleared from time to time. The other way is using the unixsock output plugin and read the socket with a little daemon and then call the external program. But after some tests and "googles" I think the plugin never send any data to the socket. At the some time the alter will be detected and send to the mysql-database and to the syslog. So, the generated attack will be detected from snort, but doesn't send to the socket. <code-snipset> if((sockfd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { fprintf(stderr, "Failed to call socket."); exit(EXIT_FAILURE); } adress.sun_family = AF_UNIX; strcpy(adress.sun_path, "/dev/snort_alert"); adrlen = sizeof(adress.sun_family) + strlen(adress.sun_path); if(bind(sockfd, (struct sockaddr *) &adress, adrlen) == -1) { fprintf(stderr, "Unable to bind socket."); exit(EXIT_FAILURE); } if(listen(sockfd, 5) == -1) { fprintf(stderr, "Unable to listen on socket."); exit(EXIT_FAILURE); } while((connfd = accept(sockfd, (struct sockaddr *) &adress, &adrlen)) >= 0) { int n, i; char buffer[MAXLEN]; while((n = read(connfd, buffer, MAXLEN)) > 0) { for(i=0; i<n-1; i++) { printf("%c=%02x ", buffer[i], buffer[i]); } printf("\n"); fflush(stdout); } } </code-snipset> Environment: OpenBSD 2.9-current/ Snort-1.8.2/ MySQL <snort.conf> output alert_syslog: LOG_LOCAL7 output database: alert, mysql, user=XXX password=XXX dbname=snortdb host=localhost output alert_unixsock </snort.conf> Where is my mistake? Or is the plugin currently not working? Or is there any other practicable way to call an external program? Thanks a lot Thorsten p.s. sorry for this poor english :) -- Thorsten Sauter <tsauter () gmx net> -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Unix-Socket TSauter (Nov 21)
- Re: Snort and Unix-Socket Fyodor (Nov 21)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Dirk Geschke (Nov 22)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Fyodor (Nov 21)