[Snort-devel] [ snort-Bugs-481922 ] Request - unified output over sockets

noreply at ...12... noreply at ...12...
Fri Nov 16 16:53:02 EST 2001


Bugs item #481922, was opened at 2001-11-14 17:06
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=481922&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Request - unified output over sockets

Initial Comment:
I'm trying to write an application that reads the snort
unified output formats and does things with that output.

First, it would be nice if you could get snort to log
to a file that is NOT named based on date. This way the
same file could be used consistantly.

If snort did log to the same file even after being
stopped and started, it would need to know not to
prepend the file with header. It would also need to
either check the last event ID and continue
incrementing from there; otherwise, consistancy would
be lost between event ID and reference.

This sounds like a fair bit of work.

A better solution (at least in my opinion) would be to
have the unified output module (as an option) dump to
two TCP sockets (one log stream and one alert stream).
This would permit receivers of the stream to know when
snort has been stopped and started (as the connection
would be closed), allowing them to keep track of
'sessions' so that consistancy between eventID and
eventReference could be maintained. Also, such a
solution would allow remote monitoring of a snort
sensor. This would probably not be too large a project
in terms of effort for someone familiar with the snort
source. It could probably be done simply by adding a
new output module which is an almost exact copy of the
unified output module, except that it opens sockets
instead of files. You could probably even just add such
an option to the current unified output module without
too much grief. I would attempt to make the changes,
but I have only a VERY limited experience with C, and
not nearly enough familiarity with the snort source to
add such a feature within a month or so. If no one is
particularily interested, or if it seems unlikely that
this would be implemented soon, please speak up, and
I'll see if I can get my act togeather and get someone
to help me out in writing such support.

What do you think? Thanks a lot, by the way :)

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=481922&group_id=3357




More information about the Snort-devel mailing list