Snort mailing list archives
Re: Fwd: Parse UnixSock output with Perl Script
From: Victor Roemer <viroemer () cisco com>
Date: Mon, 15 Jun 2015 16:02:38 -0400
Veronique,I think that this is the data structure that you are looking for. I did not look
at the perl script, but decoding this with perl will feel uncomfortable. pathname: src/output-plugins/spo_alert_unixsock.h --- snip --- typedef struct _Alertpkt { uint8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */ struct pcap_pkthdr32 pkth; uint32_t dlthdr; /* datalink header offset. (ethernet, etc.. ) */ uint32_t nethdr; /* network header offset. (ip etc...) */ uint32_t transhdr; /* transport header offset (tcp/udp/icmp ..) */ uint32_t data;uint32_t val; /* which fields are valid. (NULL could be valids also) */
/* Packet struct --> was null */ #define NOPACKET_STRUCT 0x1 /* no transport headers in packet */ #define NO_TRANSHDR 0x2 uint8_t pkt[65535]; Event event; } Alertpkt; --- end-snip --- Note that there is the "Event" as the last element. It looks like this is the data that you want (cleaned up a bit). pathname: src/event.h --- snip --- typedef struct _Event { uint32_t sig_generator; uint32_t sig_id; uint32_t sig_rev; uint32_t classification; uint32_t priority; uint32_t event_id; uint32_t event_reference; struct sf_timeval32 ref_time; #if defined(FEAT_OPEN_APPID) #define MAX_EVENT_APPNAME_LEN 16 char app_name[MAX_EVENT_APPNAME_LEN]; #endif } Event; --- end-snip ---Hope this helps... although, why not use unified2? It is much better documented,
and there are a number of tools for it which are opensource too: Including barnyard, et al. (and some of my own) On 6/11/15 17:58, Véronique B. wrote:
Dear All, I still haven't find a way to do it. Does anyone have a clue?I tried to look at Snort Source Code, but I still don't know in which order are the fields of the packets.Thank you very much in advance for your help, Regards, Veronique ---------- Forwarded message ----------From: *Snort User* <snort.nsm.user () gmail com <mailto:snort.nsm.user () gmail com>>Date: 2015-06-09 15:48 GMT+12:00 Subject: Parse UnixSock output with Perl ScriptTo: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>Dear all,I'm trying to parse Snort output while receiving it on a Unix Socket. I'm using Security Onion.I'm using this Perl Script I found in several locations on the web: #!/usr/bin/perl -w use strict; use warnings; # Include the socket libraries use IO::Socket; # This is the template to capture the Alert Name # Edit this to get the additional packets. my $TEMPLATE = "A256 A*"; # Release the socket if it already exists unlink "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert"; # In case of user termination - exit gracefully. $SIG{TERM} = $SIG{INT} = sub { exit 0 }; # Open up the socket.my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM, Local => "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert") or die "Socket: $@";print STDOUT "Socket Open ... \n"; # Loop receiving data from the socket, pulling out the # alert name and printing it. my $data; while ( 1 ) { recv($client,$data,1024,0); my @MSSG = unpack($TEMPLATE, $data); print "$MSSG[0]\n" } # At termination close up the socket again. END {unlink "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert";};A comment says we can edit the Template format to get others information. However, I couldn't find out how to get others information: Is there a proper description of the different data we can find in the received packets and their order with their type, outbounds etc?My goal is to get the following data: - signature of the attack - source ip address - destination ip address - protocol - source and destination ports I'm sorry I'm new to Perl and to Snort.I also found a program in C (https://www.snort.org/faq/readme-unsock) to do the same thing but I didn't find out how to make it works in Security Onion (there is no "snort.h" library anywhere).Thank you in advance! Regards, Veronique ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Parse UnixSock output with Perl Script Snort User (Jun 08)
- <Possible follow-ups>
- Fwd: Parse UnixSock output with Perl Script Véronique B . (Jun 11)
- Re: Fwd: Parse UnixSock output with Perl Script Victor Roemer (Jun 15)