[Snort-devel] Snort with Unix domain socket
fygrave at ...1...
Thu Jan 4 13:19:56 EST 2001
On Thu, Jan 04, 2001 at 12:21:54PM -0500, Jean-Philippe Grenier wrote:
> Well, will it be too overhelming to have snort send the whole packet
> to the unix socket and then have a modified version of Guardian,
> reading from the unix socket, parsing the alerts ?
I just checked the source, it actually does send the whole packet:
Yeah can be done if really needed. Forgive my ignorance, what is the 'Guardian' you're
> I'm not sure if I understand it right, why would I have to parse out
> the whole datagram again to print it ? I thought it already was in
> the Alertpkt.
You will get offsets of datalink header (ethernet or whatever), IP and
TCP/UDP/ICMP headers in packet. but to print IP packet you'll have to parse
it out again (fields, options etc).
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
More information about the Snort-devel