Snort mailing list archives
Re: Unixsock plugin?
From: Dirk Geschke <dirk () geschke-online de>
Date: Wed, 25 Nov 2009 11:12:34 +0100
Hi Honia,
1) I checked the log directory and the file called snort_alert already exists in there (/var/log/snort).
you have to create this socket so snort can write to it (on some systems one have to ensure that the snort pocess is allowed to write to this socket...) If there is no socket, than all alerts are simply dropped.
2) I have a script which is supposed to do the same thing, could you please have a look at it and see if it's any good?
It looks okay, so far. You should take care of the size of Alertpkt, this is what the output plugin writes to the socket. This number of bytes should be read from the socket and of course you should take care of the fields in order to extract them correct. If you read less bytes than are in the buffer then you will read the remaining parts the next time and not the next alert...
3) You said "After this you can read from "sock" when snort writes to it". would you please tell me how could I do this?
Simply to a blocked read from it, if data are there then you can read them. Hence if snort writes an alert to the socket your program can read them the same time.
P.S. Here's the code:
while ( true ) { recv($client,$data,1024,0); @FIELDS = unpack($TEMPLATE, $data);
I think a $client->recv($data,1024); would be the better way. Although Alertpkt is bigger than 1024 bytes. But this way you should get at least the alertmsg of the first alert. Best regards Dirk BTW: You can take a look at sockserv.c from FLoP for how I solved this in C for a quite different output plugin. I adjusted and extended the output plugin to provide more informations and the whole pcap data. You can find the latest version of FLoP here: http://www.geschke-online.de/FLoP/src/FLoP-1.6.1.tar.gz -- +----------------------------------------------------------------------+ | Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding | | Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 | | dirk () geschke-online de / dirk () lug-erding de / kontakt () lug-erding de | +----------------------------------------------------------------------+ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unixsock plugin? Honia A (Nov 23)
- Re: Unixsock plugin? Dirk Geschke (Nov 23)
- Re: Unixsock plugin? Honia A (Nov 24)
- Re: Unixsock plugin? Dirk Geschke (Nov 24)
- Re: Unixsock plugin? Honia A (Nov 24)
- Re: Unixsock plugin? Dirk Geschke (Nov 25)
- Re: Unixsock plugin? Honia A (Nov 24)
- Re: Unixsock plugin? Dirk Geschke (Nov 23)