Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Information Request about snort unix socket (unixSock)

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 27 Oct 2014 15:08:04 +0000
This is probably a better question for the Snort-devel list.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

On Oct 27, 2014, at 7:39 AM, Giancarlo Capone <giancarlo.capone () yahoo com<mailto:giancarlo.capone () yahoo com>> 
wrote:

Good morning to all of you,
I’m an Italian student, and I’ve successfully installed snort as NIDS on an OpenSuse Virtual Machine.

Now I’m trying to make snort printing alerts on unix-socket. I’ve firstly tried a perl script that listens to the unix 
socket created by snort: it works fine, but I’m only able to catch the “msg” I’ve written in the rule, but I’m not able 
to catch other info about the data packet itself. For instance I’d like to get ip source address and destination, as 
many other info.

I’ve read the C code provided in the README.UNSOCK file, but when I try to compile it, there is a problem because, 
obviously, the compiler doesn’t find the snort.h file. Can you give any suggestion about how to resolve this issue? 
I’ve tried to find this file in snort folders, but unsuccessfully.

I’d like also to ask you another question, because I don’t also understand where in the C code it starts listening to 
the unix socket. In perl code (that I’ve written at the bottom of this email) I use the following code :”Local => 
"$ENV{HOME}/snort_alert”)” to define the location of the unix socket I want to listen to.

I thank you in advance, and I’m sorry if my English is not so good.

Have a nice day,
Giancarlo Capone.

PS. I write here the perl script I’ve found on internet:

#!/usr/bin/perl
# Include the socket libraries
use IO::Socket;

# This is the template to capture the Alert Name
# Edit this to get the additional packets.
$TEMPLATE = "A256 A*”;

# Release the socket if it already exists
unlink "$ENV{HOME}/snort_alert”;

# In case of user termination - exit gracefully.
$SIG{TERM} = $SIG{INT} = sub { exit 0 };

# Open up the socket.
my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,
             Local => "$ENV{HOME}/snort_alert”)
             or die "Socket: $@“;

print STDOUT "Socket Opened ... \n”;

# Loop receiving data from the socket, pulling out the
# alert name and printing it.
my $data;

while ( true ) {
print STDOUT "\n \n \n Before receive rcv... \n”;
  recv($client,$data,1024,0);
  @FIELDS = unpack($TEMPLATE, $data);
  # print "@FIELDS \n”;
print "@FIELDS[0] \n”;
}

# At termination close up the socket again.
END {unlink "$ENV{HOME}/snort_alert";}


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: