[Snort-devel] Snort with Unix domain socket

Jean-Philippe Grenier jgrenier at ...177...
Thu Jan 4 11:07:49 EST 2001


Well the problem was obviously my logging program. I've forgot to 
do an unlink("/dev/snort_alert"), so when I was calling bind, I 
was getting a Connection Refused.

But I have an other question. Logging with the unix socket only
seems to sends the alert msg, it does not send the network header
information.

I haven't seen an equivalent of PrintIPHeader(FILE *fp, Packet *p)
for the unix socket, is there one ? 


Thanks, Jean-Philippe 

-----Original Message-----
From: Martin Roesch [mailto:roesch at ...48...]
Sent: Wednesday, January 03, 2001 4:26 PM
To: Jean-Philippe Grenier
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Snort with Unix domain socket


Did you turn on the socket interface with the "-A unsock" switch or an
output
plugin directive in the config file?  That would be the first thing I'd
check.  You might want to put a little message in the initialization and
output code to make sure that it's being called...

    -Marty

> Jean-Philippe Grenier wrote:
> 
> I would like to know if someone got Snort working with the Unix domain
> socket.
> 
> For some reason, Snort isn't doing a bind in file log.c:526 in function
> OpenAlertSock(). So if UNSOCK_FILE ("/dev/snort_alert") doesn't exist, it
> won't be created.
> 
> So after adding the bind call at line 539,
> 
>     526 void OpenAlertSock()
>     527 {
>     528     char *srv=UNSOCK_FILE;
>     529
>     530     bzero((char *)&alertaddr,sizeof(alertaddr));
>     531     bcopy((const void *)srv,(void
*)alertaddr.sun_path,strlen(srv));
> /* we trust what we define */
>     532     alertaddr.sun_family=AF_UNIX;
>     533
>     534     if ((alertsd=socket(AF_UNIX,SOCK_DGRAM,0))<0)
>     535     {
>     536         FatalError("socket() call failed: %s", strerror(errno));
>     537     }
>     538
>     539     bind(alertsd, (struct sockaddr*) &alertaddr,
> SUN_LEN(&alertaddr));
>     540
>     541 }
> 
> I have an other program receving from the socket and it not getting
> anything.
> 
> Can anyone help ?

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010104/a6e7c8a2/attachment.html>


More information about the Snort-devel mailing list