Re: snort unsock option and java serversocket

[Dirk Geschke <dirk () geschke-online de>]

Hi,

> I am trying to let snort send realtime alerts to a
> java serversocket which is listening on some specified
> port and IP by using unsock option of snort. However,
> I didnt get it. is there anyone who has some
> experience on unsock option? and what would be the
> format of the alert output while using unsock option?

I think you are on the wrong way. The unsock option is for notifying
via an unix domain socket. This does neither contain an IP address
nor a port. You need a program creating the unix socket and listening
to it. The default socket name is "/tmp/snort_alert".

For the format take a look at src/output-plugins/spo_alert_unixsock.c.

A similar approach is done with FLoP: 

    http://www.geschke-online.de/FLoP/

But the main focus is to store all alerts in a database with the
oayload. For alerts with a given priority an e-mail can be send.
(Or something else, if you like. The infomration is written to 
another unix domain socket so it is easy to attach other programs.)

Best regards

Dirk


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users