Snort mailing list archives
Re: Unixsock plugin?
From: Honia A <honia2002 () hotmail com>
Date: Tue, 24 Nov 2009 11:30:32 -0500
Hi Dirk, Thanks much for your reply, I really appreciate it. 1) I checked the log directory and the file called snort_alert already exists in there (/var/log/snort). 2) I have a script which is supposed to do the same thing, could you please have a look at it and see if it's any good? 3) You said "After this you can read from "sock" when snort writes to it". would you please tell me how could I do this? Thanks so much, h P.S. Here's the code: #!/usr/bin/perl # Include the socket libraries use IO::Socket; # This is the template to capture the Alert Name # Edit this to get the additional packets. $TEMPLATE = "A256 A*"; # Release the socket if it already exists unlink "/var/log/snort/snort_alert"; # In case of user termination - exit gracefully. $SIG{TERM} = $SIG{INT} = sub { exit 0 }; # Open up the socket. my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM, Local => "/var/log/snort/snort_alert") or die "Socket: $@"; print STDOUT "Socket Open ... \n"; # Loop receiving data from the socket, pulling out the # alert name and printing it. my $data; while ( true ) { recv($client,$data,1024,0); @FIELDS = unpack($TEMPLATE, $data); print "@FIELDS[0] \n"; } # At termination close up the socket again. END {unlink "/var/log/snort/snort_alert";}
Date: Tue, 24 Nov 2009 16:47:11 +0100 From: dirk () geschke-online de To: honia2002 () hotmail com CC: dirk () geschke-online de; snort-users () lists sourceforge net Subject: Re: [Snort-users] Unixsock plugin? Hi Honia,1) Currently I have the line "output alert_unixsock" added to my snort.conf file and this is the command I run: "snort -A unsock -c snort.conf ". Did you mean I have to delete the line from the snort.conf file and just run the command itself?no, in this case it does not matter: Both do the same... But if you define "output alert_unixsock" in snort.conf there is no need to use "-A unsock", too.2) You said I have to provide the unix domain socket so that snort can write to it, how can I do that?Simply write a script/program that creates the unix domain socket and read from it. That's all. The socket should be in the log dir and called snort_alert. All you need is something like this: --- /* get a socket */ sock = socket(PF_UNIX, SOCK_DGRAM, 0) ; /* we want a unix socket */ unix_addr.sun_family = AF_UNIX; strcpy(unix_addr.sun_path, SocketName); /* create the socket */ bind(sock, (struct sockaddr *) &unix_addr,length); --- SocketName should be the name of the socket you want to create. After this you can read from "sock" when snort writes to it. Best regards Dirk -- +----------------------------------------------------------------------+ | Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding | | Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 | | dirk () geschke-online de / dirk () lug-erding de / kontakt () lug-erding de | +----------------------------------------------------------------------+
_________________________________________________________________ Windows 7: I wanted simpler, now it's simpler. I'm a rock star. http://www.microsoft.com/Windows/windows-7/default.aspx?h=myidea?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_myidea:112009
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unixsock plugin? Honia A (Nov 23)
- Re: Unixsock plugin? Dirk Geschke (Nov 23)
- Re: Unixsock plugin? Honia A (Nov 24)
- Re: Unixsock plugin? Dirk Geschke (Nov 24)
- Re: Unixsock plugin? Honia A (Nov 24)
- Re: Unixsock plugin? Dirk Geschke (Nov 25)
- Re: Unixsock plugin? Honia A (Nov 24)
- Re: Unixsock plugin? Dirk Geschke (Nov 23)