[Snort-devel] Snort with Unix domain socket

Martin Roesch roesch at ...48...
Wed Jan 3 16:26:04 EST 2001


Did you turn on the socket interface with the "-A unsock" switch or an output
plugin directive in the config file?  That would be the first thing I'd
check.  You might want to put a little message in the initialization and
output code to make sure that it's being called...

    -Marty

> Jean-Philippe Grenier wrote:
> 
> I would like to know if someone got Snort working with the Unix domain
> socket.
> 
> For some reason, Snort isn't doing a bind in file log.c:526 in function
> OpenAlertSock(). So if UNSOCK_FILE ("/dev/snort_alert") doesn't exist, it
> won't be created.
> 
> So after adding the bind call at line 539,
> 
>     526 void OpenAlertSock()
>     527 {
>     528     char *srv=UNSOCK_FILE;
>     529
>     530     bzero((char *)&alertaddr,sizeof(alertaddr));
>     531     bcopy((const void *)srv,(void *)alertaddr.sun_path,strlen(srv));
> /* we trust what we define */
>     532     alertaddr.sun_family=AF_UNIX;
>     533
>     534     if ((alertsd=socket(AF_UNIX,SOCK_DGRAM,0))<0)
>     535     {
>     536         FatalError("socket() call failed: %s", strerror(errno));
>     537     }
>     538
>     539     bind(alertsd, (struct sockaddr*) &alertaddr,
> SUN_LEN(&alertaddr));
>     540
>     541 }
> 
> I have an other program receving from the socket and it not getting
> anything.
> 
> Can anyone help ?

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list