Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Patch to have unified2 outputs for multiple snort instances

From: Brad Tilley <brad () 16s us>
Date: Thu, 14 Feb 2013 11:02:16 -0500
We use one main snort.conf and include it like this in interface specific files (snort.eth1.conf, snort.eth2.conf), etc:

---
include snort.conf
preprocessor perfmonitor: time 300 file /var/log/snort/snort.eth1.stats pktcnt 10000
output unified2: filename snort.eth1.log, limit 128, mpls_event_types, vlan_event_types
---

Notice the perfmonitor preprocessor as well. If you want multiple unified2 output files from *one* snort.conf, then 
would you not want multiple perfmonitor files as well? Why patch this just for output? 

I rather like the approach of placing the common directives in one snort.conf and including that in a dedicated 
interface conf file (I think other programmers grok that approach to things as well), but that's just me.  

Just my thoughts,

Brad

On Thu, Feb 14, 2013 at 04:26:27PM +0100, Guido Hungerbuehler wrote:

Hi

I just wrote a patch which allows multiple snort instances to run in
parallel. With this patch it is possible to only have one config
file and still the unified2 output is directed to multiple files,
each with the instance identifier.

Just use the -G argument to specify the instance id.

cheers
guido




diff -rupN snort294_orig/src/output-plugins/spo_unified2.c snort294_patched/src/output-plugins/spo_unified2.c
--- snort294_orig/src/output-plugins/spo_unified2.c   2012-09-21 02:09:14.000000000 +0200
+++ snort294_patched/src/output-plugins/spo_unified2.c        2013-02-14 15:32:57.000000000 +0100
@@ -298,7 +298,6 @@ static void Unified2InitFile(Unified2Con
     }
 
     config->timestamp = (uint32_t)time(NULL);
-
     if (!config->nostamp)
     {
         if (SnortSnprintf(filepath, sizeof(filepath), "%s.%u",
@@ -307,14 +306,26 @@ static void Unified2InitFile(Unified2Con
             FatalError("%s(%d) Failed to copy unified2 file path.\n",
                        __FILE__, __LINE__);
         }
-
+        
         fname_ptr = filepath;
     }
     else
     {
         fname_ptr = config->filepath;
     }
-
+    
+    /* If a snort instance id is given, we append it to the filename */
+    if (snort_conf->instance_id < 0)
+    {
+        fname_ptr = config->filepath;
+    }
+    else
+    {
+        SnortSnprintf(filepath, sizeof(filepath), "%s_%u",
+                      fname_ptr, snort_conf->instance_id);
+        fname_ptr = filepath;
+    }
+    
     if ((config->stream = fopen(fname_ptr, "wb")) == NULL)
     {
         FatalError("%s(%d) Could not open %s: %s\n",
diff -rupN snort294_orig/src/snort.c snort294_patched/src/snort.c
--- snort294_orig/src/snort.c 2012-10-30 22:36:04.000000000 +0100
+++ snort294_patched/src/snort.c      2013-02-14 15:32:58.000000000 +0100
@@ -2272,10 +2272,12 @@ static void ParseCmdLine(int argc, char
                     FatalError("Snort log identifier invalid: %s.  It must "
                                "be between 0 and %u.\n", optarg, UINT16_MAX);
                 }
-
+                
+                /* define the instance id */
+                sc->instance_id = sc->event_log_id;
+                
                 /* Forms upper 2 bytes.  Lower two bytes are the event id */
                 sc->event_log_id <<= 16;
-
                 break;
 
             case 'h':
@@ -3715,6 +3717,9 @@ SnortConfig * SnortConfNew(void)
      * chown() use this later, -1 means no change to user_id/group_id*/
     sc->user_id = -1;
     sc->group_id = -1;
+    
+    /* the running snort instance */
+    sc->instance_id = -1;
 
     sc->checksum_flags = CHECKSUM_FLAG__ALL;
     sc->tagged_packet_limit = 256;
@@ -4154,6 +4159,7 @@ static SnortConfig * MergeSnortConfs(Sno
     }
 
     config_file->event_log_id = cmd_line->event_log_id;
+    config_file->instance_id = cmd_line->instance_id;
 
     if (cmd_line->dynamic_rules_path != NULL)
     {
diff -rupN snort294_orig/src/snort.h snort294_patched/src/snort.h
--- snort294_orig/src/snort.h 2012-10-30 22:36:05.000000000 +0100
+++ snort294_patched/src/snort.h      2013-02-14 11:45:49.000000000 +0100
@@ -632,7 +632,8 @@ typedef struct _SnortConfig
     int checksum_drop_flags;
     int checksum_drop_flags_modified;
 
-    uint32_t event_log_id;      /* -G */
+    uint32_t event_log_id;      /* -G the shifted number */
+    uint32_t instance_id;       /* -G the given raw number */
     int pkt_snaplen;
     int64_t pkt_cnt;            /* -n */
 



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb



_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



-- 

Brad Tilley
16 Systems, LLC
P.O. Box 356
Blacksburg, VA
24063

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: