[Snort-devel] Snort with Unix domain socket
jgrenier at ...177...
Thu Jan 4 14:22:46 EST 2001
For some reason I thought it was only sending the alert msg.
Guardian is a stand-alone Perl script which watches the output of
snort, and will add rules to IPChains on the fly as snort detects
and reports an attack. (www.whitehats.com/ids/guardian.tgz)
But then again, since Snort sends the packet in a structure, I
propably won't need Guardian. I only have to go throught the packet
and find the source ip and bloc it with ipchains.
It will be much faster then having Guardian parse an alert log with
a perl regular expression.
Thanks, really appreciate the help.
From: Fyodor [mailto:fygrave at ...1...]
Sent: Thursday, January 04, 2001 1:20 PM
To: Jean-Philippe Grenier
Cc: 'Martin Roesch'; 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Snort with Unix domain socket
On Thu, Jan 04, 2001 at 12:21:54PM -0500, Jean-Philippe Grenier wrote:
> Well, will it be too overhelming to have snort send the whole packet
> to the unix socket and then have a modified version of Guardian,
> reading from the unix socket, parsing the alerts ?
I just checked the source, it actually does send the whole packet:
Yeah can be done if really needed. Forgive my ignorance, what is the
> I'm not sure if I understand it right, why would I have to parse out
> the whole datagram again to print it ? I thought it already was in
> the Alertpkt.
You will get offsets of datalink header (ethernet or whatever), IP and
TCP/UDP/ICMP headers in packet. but to print IP packet you'll have to parse
it out again (fields, options etc).
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel