Re: Unixsock plugin?

[Dirk Geschke <dirk () geschke-online de>]

Hi Honia,

> 1) I checked the log directory and the file called snort_alert already exists in there (/var/log/snort).

you have to create this socket so snort can write to it (on some
systems one have to ensure that the snort pocess is allowed to
write to this socket...)

If there is no socket, than all alerts are simply dropped.

> 2) I have a script which is supposed to do the same thing, could you please have a look at it and see if it's any 
> good? 

It looks okay, so far. You should take care of the size of
Alertpkt, this is what the output plugin writes to the socket.
This number of bytes should be read from the socket and of
course you should take care of the fields in order to extract
them correct.

If you read less bytes than are in the buffer then you will
read the remaining parts the next time and not the next alert...

> 3) You said "After this you can read from "sock" when snort writes to it". would you please tell me how could I do 
> this?

Simply to a blocked read from it, if data are there then you can
read them. Hence if snort writes an alert to the socket your
program can read them the same time.

> P.S. Here's the code:

> while ( true ) {
>     recv($client,$data,1024,0);
>     @FIELDS = unpack($TEMPLATE, $data);

I think a

      $client->recv($data,1024);

would be the better way. Although Alertpkt is bigger than 1024 bytes.
But this way you should get at least the alertmsg of the first alert.

Best regards

Dirk

BTW: You can take a look at sockserv.c from FLoP for how I solved
     this in C for a quite different output plugin. I adjusted and
     extended the output plugin to provide more informations and 
     the whole pcap data. You can find the latest version of FLoP
     here:

         http://www.geschke-online.de/FLoP/src/FLoP-1.6.1.tar.gz

-- 
+----------------------------------------------------------------------+
| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk () geschke-online de / dirk () lug-erding de  / kontakt () lug-erding de | 
+----------------------------------------------------------------------+

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users