Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Users] help reporting using unix socket (unsock)

From: Joel Esler <joel.esler () me com>
Date: Wed, 07 Sep 2011 10:25:24 -0400
Copying Snort devel on this.

Joel

On Sep 7, 2011, at 9:48 AM, yamahabob wrote:


I'm wanting to report alerts through a socket using unsock, but I
can't seem to get the alerts to go through. I opened a socket using a
Perl script as follows:

use strict; $|++;
use IO::Socket;
my $socketfile = "/dev/snort_alert";
unlink $socketfile;
my $data;
my $server = IO::Socket::UNIX->new(
       Local => $socketfile,
       Type      => SOCK_STREAM,
       Listen    => 100 ) or die $!;
$server->autoflush(1);
while ( my $connection = $server->accept() ) {
       my $data= <$connection>;
       print $data, $/;
   }
}

First, I understand all I will see is garbage because I'm not using
the specific packets format, but I'm just testing to see if data is
making it through.

It opens the file "/dev/snort_alert" as the documentation says but
don't appear to be getting alerts sent it to. I'm running snort
using:
/usr/local/snort/bin/snort -A unsock -c /usr/local/snort/etc/
snort.conf -i eth1
If I run another Perl script to send data to /dev/snort_alert, the
data prints to screen as the sever code is supposed to do, but not
with any alerts.
Ideas?
Thanks in advance

-- 
To post to this group, send email to snortusers () googlegroups com


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: