Snort mailing list archives
Re: Unixsock plugin?
From: Dirk Geschke <dirk () geschke-online de>
Date: Tue, 24 Nov 2009 16:47:11 +0100
Hi Honia,
1) Currently I have the line "output alert_unixsock" added to my snort.conf file and this is the command I run: "snort -A unsock -c snort.conf ". Did you mean I have to delete the line from the snort.conf file and just run the command itself?
no, in this case it does not matter: Both do the same... But if you define "output alert_unixsock" in snort.conf there is no need to use "-A unsock", too.
2) You said I have to provide the unix domain socket so that snort can write to it, how can I do that?
Simply write a script/program that creates the unix domain socket and read from it. That's all. The socket should be in the log dir and called snort_alert. All you need is something like this: --- /* get a socket */ sock = socket(PF_UNIX, SOCK_DGRAM, 0) ; /* we want a unix socket */ unix_addr.sun_family = AF_UNIX; strcpy(unix_addr.sun_path, SocketName); /* create the socket */ bind(sock, (struct sockaddr *) &unix_addr,length); --- SocketName should be the name of the socket you want to create. After this you can read from "sock" when snort writes to it. Best regards Dirk -- +----------------------------------------------------------------------+ | Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding | | Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 | | dirk () geschke-online de / dirk () lug-erding de / kontakt () lug-erding de | +----------------------------------------------------------------------+ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unixsock plugin? Honia A (Nov 23)
- Re: Unixsock plugin? Dirk Geschke (Nov 23)
- Re: Unixsock plugin? Honia A (Nov 24)
- Re: Unixsock plugin? Dirk Geschke (Nov 24)
- Re: Unixsock plugin? Honia A (Nov 24)
- Re: Unixsock plugin? Dirk Geschke (Nov 25)
- Re: Unixsock plugin? Honia A (Nov 24)
- Re: Unixsock plugin? Dirk Geschke (Nov 23)