Snort mailing list archives
Re: unixsock output plugin for snort Alerts
From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Wed, 13 May 2015 13:05:39 +0000
Hi Dilipan, We currently do not include support for that under the unixsock output plugin. If you would like to add the functionality to your alerting format, see how we use Active_GetDisposition() under fast and unified2 logging. As for the packet size, the alert plugin may be handling alerts from rebuilt packets, which may reach that 65535 byte bound. Let us know if you have any questions! Thanks, Carter From: "Dilipan Janarthanan (djanarth)" <djanarth () cisco com<mailto:djanarth () cisco com>> Date: Wednesday, May 13, 2015 at 5:05 AM To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: Re: [Snort-devel] unixsock output plugin for snort Alerts Hello, Any insights to this problem, pl? Appreciate your help! -Dilipan From: Dilipan Janarthanan <djanarth () cisco com<mailto:djanarth () cisco com>> Date: Monday, 11 May 2015 4:20 pm To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: [Snort-devel] unixsock output plugin for snort Alerts Hi, Team, Would like to use alert_unixsock output plugin for logging alerts mainly to avoid using the disk when an alert is produced. I’m able to get the alert, but I fail to find the ‘action’ (drop/alert/wdrop) information in the sock output. How do we get this information with this plugin? Also I notice that the ‘pkt' field in the alertpkt structure (spo_alert_unixsock.h) has been hardcoded to 65535. Is it not sufficient enough to use SNAPLEN as the size of this field instead of max size? typedef struct _Alertpkt { uint8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */ struct pcap_pkthdr32 pkth; uint32_t dlthdr; /* datalink header offset. (ethernet, etc.. ) */ uint32_t nethdr; /* network header offset. (ip etc...) */ uint32_t transhdr; /* transport header offset (tcp/udp/icmp ..) */ uint32_t data; uint32_t val; /* which fields are valid. (NULL could be * valids also) */ /* Packet struct --> was null */ #define NOPACKET_STRUCT 0x1 /* no transport headers in packet */ #define NO_TRANSHDR 0x2 uint8_t pkt[65535]; Event event; } Alertpkt; Regards, Dilipan
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- unixsock output plugin for snort Alerts Dilipan Janarthanan (djanarth) (May 11)
- <Possible follow-ups>
- Re: unixsock output plugin for snort Alerts Dilipan Janarthanan (djanarth) (May 13)
- Re: unixsock output plugin for snort Alerts Carter Waxman (cwaxman) (May 13)
- Re: unixsock output plugin for snort Alerts Dilipan Janarthanan (djanarth) (May 14)
- Re: unixsock output plugin for snort Alerts Carter Waxman (cwaxman) (May 13)