[Snort-devel] Snort with Unix domain socket

Jean-Philippe Grenier jgrenier at ...177...
Thu Jan 4 12:21:54 EST 2001


Well, will it be too overhelming to have snort send the whole packet
to the unix socket and then have a modified version of Guardian, 
reading from the unix socket, parsing the alerts ?


I'm not sure if I understand it right, why would I have to parse out 
the whole datagram again to print it ? I thought it already was in
the Alertpkt.


Thanks, Jean-Philippe

-----Original Message-----
From: Fyodor [mailto:fygrave at ...1...]
Sent: Thursday, January 04, 2001 11:40 AM
To: Jean-Philippe Grenier
Cc: 'Martin Roesch'; 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Snort with Unix domain socket


On Thu, Jan 04, 2001 at 11:07:49AM -0500, Jean-Philippe Grenier wrote:
> Well the problem was obviously my logging program. I've forgot to 
> do an unlink("/dev/snort_alert"), so when I was calling bind, I 
> was getting a Connection Refused.
> 
> But I have an other question. Logging with the unix socket only
> seems to sends the alert msg, it does not send the network header
> information.

What do you mean by 'network header'? :) if you want to see whole packet,
I can modify code to send it as well. Originally I thought it might be
overhelming for you to parse it, but if you want.. ;-P

> I haven't seen an equivalent of PrintIPHeader(FILE *fp, Packet *p)
> for the unix socket, is there one ? 
> 

Uh? by design it logs you the data into unix socket, which you need to
perform
logging (i.g. source, destination of original datagram, message etc), you
don't
have IP datagram available there. even if you had, you'd have to parse out
whole datagram again to print it.

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010104/756c2ba4/attachment.html>


More information about the Snort-devel mailing list