Snort mailing list archives
Re: Patch to have unified2 outputs for multiple snort instances
From: Brad Tilley <brad () 16s us>
Date: Thu, 14 Feb 2013 11:02:16 -0500
We use one main snort.conf and include it like this in interface specific files (snort.eth1.conf, snort.eth2.conf), etc: --- include snort.conf preprocessor perfmonitor: time 300 file /var/log/snort/snort.eth1.stats pktcnt 10000 output unified2: filename snort.eth1.log, limit 128, mpls_event_types, vlan_event_types --- Notice the perfmonitor preprocessor as well. If you want multiple unified2 output files from *one* snort.conf, then would you not want multiple perfmonitor files as well? Why patch this just for output? I rather like the approach of placing the common directives in one snort.conf and including that in a dedicated interface conf file (I think other programmers grok that approach to things as well), but that's just me. Just my thoughts, Brad On Thu, Feb 14, 2013 at 04:26:27PM +0100, Guido Hungerbuehler wrote:
Hi I just wrote a patch which allows multiple snort instances to run in parallel. With this patch it is possible to only have one config file and still the unified2 output is directed to multiple files, each with the instance identifier. Just use the -G argument to specify the instance id. cheers guido
diff -rupN snort294_orig/src/output-plugins/spo_unified2.c snort294_patched/src/output-plugins/spo_unified2.c --- snort294_orig/src/output-plugins/spo_unified2.c 2012-09-21 02:09:14.000000000 +0200 +++ snort294_patched/src/output-plugins/spo_unified2.c 2013-02-14 15:32:57.000000000 +0100 @@ -298,7 +298,6 @@ static void Unified2InitFile(Unified2Con } config->timestamp = (uint32_t)time(NULL); - if (!config->nostamp) { if (SnortSnprintf(filepath, sizeof(filepath), "%s.%u", @@ -307,14 +306,26 @@ static void Unified2InitFile(Unified2Con FatalError("%s(%d) Failed to copy unified2 file path.\n", __FILE__, __LINE__); } - + fname_ptr = filepath; } else { fname_ptr = config->filepath; } - + + /* If a snort instance id is given, we append it to the filename */ + if (snort_conf->instance_id < 0) + { + fname_ptr = config->filepath; + } + else + { + SnortSnprintf(filepath, sizeof(filepath), "%s_%u", + fname_ptr, snort_conf->instance_id); + fname_ptr = filepath; + } + if ((config->stream = fopen(fname_ptr, "wb")) == NULL) { FatalError("%s(%d) Could not open %s: %s\n", diff -rupN snort294_orig/src/snort.c snort294_patched/src/snort.c --- snort294_orig/src/snort.c 2012-10-30 22:36:04.000000000 +0100 +++ snort294_patched/src/snort.c 2013-02-14 15:32:58.000000000 +0100 @@ -2272,10 +2272,12 @@ static void ParseCmdLine(int argc, char FatalError("Snort log identifier invalid: %s. It must " "be between 0 and %u.\n", optarg, UINT16_MAX); } - + + /* define the instance id */ + sc->instance_id = sc->event_log_id; + /* Forms upper 2 bytes. Lower two bytes are the event id */ sc->event_log_id <<= 16; - break; case 'h': @@ -3715,6 +3717,9 @@ SnortConfig * SnortConfNew(void) * chown() use this later, -1 means no change to user_id/group_id*/ sc->user_id = -1; sc->group_id = -1; + + /* the running snort instance */ + sc->instance_id = -1; sc->checksum_flags = CHECKSUM_FLAG__ALL; sc->tagged_packet_limit = 256; @@ -4154,6 +4159,7 @@ static SnortConfig * MergeSnortConfs(Sno } config_file->event_log_id = cmd_line->event_log_id; + config_file->instance_id = cmd_line->instance_id; if (cmd_line->dynamic_rules_path != NULL) { diff -rupN snort294_orig/src/snort.h snort294_patched/src/snort.h --- snort294_orig/src/snort.h 2012-10-30 22:36:05.000000000 +0100 +++ snort294_patched/src/snort.h 2013-02-14 11:45:49.000000000 +0100 @@ -632,7 +632,8 @@ typedef struct _SnortConfig int checksum_drop_flags; int checksum_drop_flags_modified; - uint32_t event_log_id; /* -G */ + uint32_t event_log_id; /* -G the shifted number */ + uint32_t instance_id; /* -G the given raw number */ int pkt_snaplen; int64_t pkt_cnt; /* -n */
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
-- Brad Tilley 16 Systems, LLC P.O. Box 356 Blacksburg, VA 24063 ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Patch to have unified2 outputs for multiple snort instances Guido Hungerbuehler (Feb 14)
- Re: Patch to have unified2 outputs for multiple snort instances Russ Combs (Feb 14)
- Re: Patch to have unified2 outputs for multiple snort instances Brad Tilley (Feb 15)