[Snort-devel] Snort with Unix domain socket
jgrenier at ...177...
Thu Jan 4 12:21:54 EST 2001
Well, will it be too overhelming to have snort send the whole packet
to the unix socket and then have a modified version of Guardian,
reading from the unix socket, parsing the alerts ?
I'm not sure if I understand it right, why would I have to parse out
the whole datagram again to print it ? I thought it already was in
From: Fyodor [mailto:fygrave at ...1...]
Sent: Thursday, January 04, 2001 11:40 AM
To: Jean-Philippe Grenier
Cc: 'Martin Roesch'; 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Snort with Unix domain socket
On Thu, Jan 04, 2001 at 11:07:49AM -0500, Jean-Philippe Grenier wrote:
> Well the problem was obviously my logging program. I've forgot to
> do an unlink("/dev/snort_alert"), so when I was calling bind, I
> was getting a Connection Refused.
> But I have an other question. Logging with the unix socket only
> seems to sends the alert msg, it does not send the network header
What do you mean by 'network header'? :) if you want to see whole packet,
I can modify code to send it as well. Originally I thought it might be
overhelming for you to parse it, but if you want.. ;-P
> I haven't seen an equivalent of PrintIPHeader(FILE *fp, Packet *p)
> for the unix socket, is there one ?
Uh? by design it logs you the data into unix socket, which you need to
logging (i.g. source, destination of original datagram, message etc), you
have IP datagram available there. even if you had, you'd have to parse out
whole datagram again to print it.
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel