Snort mailing list archives
Unsock Output Issues
From: Korodev <korodev () gmail com>
Date: Tue, 24 May 2011 16:32:33 -0500
I've been playing with Snort's unsock output to plug into an existing app that does some custom reporting and notification work. For reference, I'm running 2.9.0.5 and FreeBSD 8.2 The unsock readme says that snort writes to /dev/snort_alert, which I'm assuming is quite dated. Analysis of the spo_alert_unixsock code shows that snort is looking at snort_conf->log_dir, which ultimately (with the define) points to /var/log/snort/snort_alert. To do some troubleshooting, I wrote a minimal socket server that opens a unix dgram socket at /var/log/snort/snort_alert, printing all recv'd data, and a test client to send data to the socket. Everything there works as expected. According to the output plugin code, it should throw plenty of errors when having trouble creating the socket. Sockstat shows that my server/listener is active and listening on the right socket, but interestingly enough, shows an entry for Snort with "(not connected)" under the local address field. I know creating the socket doesn't actually connect it, and saw that there doesn't seem to be a connect statement in the output plugin. Once I added a connect(alertsd, (struct sockaddr *) &alertaddr, sizeof(alertaddr) statement, then sockstat at least shows that snort is connecting to the socket, but the sendto statement is still failing. Anyone have any exp with this? Feeling like I'm really close :) Thanks, \\korodev ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unsock Output Issues Korodev (May 24)
- Re: Unsock Output Issues Korodev (May 24)