[Snort-devel] Snort with Unix domain socket

Fyodor fygrave at ...1...
Thu Jan 4 13:19:56 EST 2001


On Thu, Jan 04, 2001 at 12:21:54PM -0500, Jean-Philippe Grenier wrote:
> Well, will it be too overhelming to have snort send the whole packet
> to the unix socket and then have a modified version of Guardian, 
> reading from the unix socket, parsing the alerts ?

I just checked the source, it actually does send the whole packet:

Yeah can be done if really needed. Forgive my ignorance, what is the 'Guardian' you're
refering too?

> I'm not sure if I understand it right, why would I have to parse out 
> the whole datagram again to print it ? I thought it already was in
> the Alertpkt.
> 
> 

You will get offsets of datalink header (ethernet or whatever), IP and
TCP/UDP/ICMP headers in packet. but to print IP packet you'll have to parse
it out again (fields, options etc).


-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-devel mailing list