[Snort-devel] Snort with Unix domain socket

Jean-Philippe Grenier jgrenier at ...177...
Thu Jan 4 14:22:46 EST 2001

For some reason I thought it was only sending the alert msg. 

Guardian is a stand-alone Perl script which watches the output of
snort, and will add rules to IPChains on the fly as snort detects
and reports an attack. (www.whitehats.com/ids/guardian.tgz)

But then again, since Snort sends the packet in a structure, I
propably won't need Guardian. I only have to go throught the packet
and find the source ip and bloc it with ipchains.

It will be much faster then having Guardian parse an alert log with 
a perl regular expression.

Thanks, really appreciate the help.


-----Original Message-----
From: Fyodor [mailto:fygrave at ...1...]
Sent: Thursday, January 04, 2001 1:20 PM
To: Jean-Philippe Grenier
Cc: 'Martin Roesch'; 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Snort with Unix domain socket

On Thu, Jan 04, 2001 at 12:21:54PM -0500, Jean-Philippe Grenier wrote:
> Well, will it be too overhelming to have snort send the whole packet
> to the unix socket and then have a modified version of Guardian, 
> reading from the unix socket, parsing the alerts ?

I just checked the source, it actually does send the whole packet:

Yeah can be done if really needed. Forgive my ignorance, what is the
'Guardian' you're
refering too?

> I'm not sure if I understand it right, why would I have to parse out 
> the whole datagram again to print it ? I thought it already was in
> the Alertpkt.

You will get offsets of datalink header (ethernet or whatever), IP and
TCP/UDP/ICMP headers in packet. but to print IP packet you'll have to parse
it out again (fields, options etc).

PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010104/1444f27d/attachment.html>

More information about the Snort-devel mailing list